@tim_g said in Hyper-V Network card setup?:

I leave 1 NIC (sometimes teamed) dedicated for host management and replication and such.

Then a team of 2-3 NICs for all VMs to use (not shared with the host OS).

In your case, for testing, I'd do the following:

NIC1 = Management, replication, migration (this is the one that gets a DNS entry, turn off DNS registration on the others)

NIC2 & NIC3 = Teamed - Not shared with the "management OS" (uncheck that box in Hyper-V later after team is set up)

NIC4 = Other testing as you see fit (iSCSI, DMZ, different subnet/network, failover for another network, etc)

Thanks. And this isn't for testing. I actually want to use this server for some production servers.

@jaredbusch said in Hyper-V Network card setup?:

@tim_g said in Hyper-V Network card setup?:

I leave 1 NIC (sometimes teamed) dedicated for host management and replication and such.

Then a team of 2-3 NICs for all VMs to use (not shared with the host OS).

In your case, for testing, I'd do the following:

NIC1 = Management, replication, migration (this is the one that gets a DNS entry, turn off DNS registration on the others)

NIC2 & NIC3 = Teamed - Not shared with the "management OS" (uncheck that box in Hyper-V later after team is set up)

NIC4 = Other testing as you see fit (iSCSI, DMZ, different subnet/network, failover for another network, etc)

What is the point of a management NIC let alone a team? You have everything on the same subnet in a SMB anyway.

Management networks are all fine when you have a large infrastructure and multiple subnets.

Yeah I don't have a management network set up. Though we do have a lot of servers and appliances, so it might be nice to set one up anyway. But that's another project for another day.

@scottalanmiller said in Hyper-V Network card setup?:

Think of it like any other resource on the machine... you pool your CPU, RAM, and storage together for the VMs to share. You treat the network in the same way.

Yes, totally what I was thinking/hoping. Now I just need to figure out the powershell commands for this...

I set up a Hyper-V 2016 Server last month but haven't done anything with it beyond installing the hypervisor and configuring sconfig. I'm about to get back to it here but I'm unclear on something.

My server has a quad port nic installed and right now I've only got one port plugged into the network. Now what I'm wondering is if I should team the whole thing from the Hyper-V powershell console so that virtual machines can share that team, or something else.

I can't imagine it's reasonable to have one vm per nic port, otherwise I'd be restricted to only four virtual machines until I add another nic.

What's the best practice here? I really should find some documentation..

@scottalanmiller said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@dave247 said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

Well, I looked at prices on ebay (which I know is not the best place to do a comparison) but people tend to price things relative to how expensive they were or currently are worth.

I don't know if that's true. Pricing on eBay are often insane. People asking $1,000 for a device worth $20 just because they hope that someone is confused.

hahahaha you're so right. I guess really, it was just a comparison starting point. Probably not a good idea, but it's the only way I could quickly get a $ figure.

@anthonyh said in Cisco ASA5510 vs Ubiquiti ERPro8:

@dashrender said in Cisco ASA5510 vs Ubiquiti ERPro8:

@anthonyh said in Cisco ASA5510 vs Ubiquiti ERPro8:

@dashrender said in Cisco ASA5510 vs Ubiquiti ERPro8:

@anthonyh said in Cisco ASA5510 vs Ubiquiti ERPro8:

I'll probably go with the ERPro8 mostly for the fact that it's nowhere near as power hungry as the ASA. I'm currently using an ERPro PoE in my home setup and have no complaints. It has served me well.

Why move away from the ERPro8? The OS on the other ER is the same.

I would either be going ERPro PoE -> ASA5510 or ERPro PoE -> ERPro8.

Likely going to do the latter.

Right, my question is - why? If you go the ASA, I get it, you're changing vendors (i.e. new interface), but if going to the ERPro8, why? do you need the extra ports? If not, there's nothing to gain by moving to the ERPro8 over the ERPro POE.

The biggest advantage is the ERPro8 is rack mountable. Also, the ERPro8 does have a little more horsepower behind it but whether or not it'd be noticable in my environment is another story. I suspect if I wanted to do any sort of VPN tunneling it may fair a little better, but that's just a guess. So, mostly because it's rack mountable.

Just buy a rackable tray for the ASA

@dbeato said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@dave247 said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@scottalanmiller said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@dave247 said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@scottalanmiller said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

Keeping to the same basic strategy, I'd want Palo Alto in there. You can do the HA like the SonicWall, but far more secure and enterprise grade. The SonicWall is really an SMB device, which is fine as you are an SMB, but as a financial institution, I might be wanting something a little more serious.

I've heard you mention Palo Alto before. Any reason why you suggest them? (I will also do some research).

Industry leader, they basically invented the UTM idea. Top enterprise player.

They look like they're a lot cheaper than SonicWall too..

What Sonicwall and Palo Alto are you comparing? The models might be the comparison for me.

Well, I looked at prices on ebay (which I know is not the best place to do a comparison) but people tend to price things relative to how expensive they were or currently are worth. I should have just said that the Palo Alto hardware appears cheaper than the SonicWall hardware. I have no idea how much support or service subscriptions cost.

I know that our SonicWall NSA 3600 hardware was around $4,500 for each of the two units, then there was a subscription and maintenance cost which was probably a couple thousand combined. Not sure how much it costs to get support or subscriptions on the Palo Alta devices. Maybe it does cost more than SonicWall after all the other things that would need to be purchased. I have no bloody idea.

I haven't played with Ubiquiti too much, though I do have a cheap Edge Router ER-X sitting in my office drawer. When I set it up, I was super impressed by the UI and apparent tool set.

@scottalanmiller said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@dave247 said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

@scottalanmiller said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

Keeping to the same basic strategy, I'd want Palo Alto in there. You can do the HA like the SonicWall, but far more secure and enterprise grade. The SonicWall is really an SMB device, which is fine as you are an SMB, but as a financial institution, I might be wanting something a little more serious.

I've heard you mention Palo Alto before. Any reason why you suggest them? (I will also do some research).

Industry leader, they basically invented the UTM idea. Top enterprise player.

They look like they're a lot cheaper than SonicWall too..

@scottalanmiller said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

Keeping to the same basic strategy, I'd want Palo Alto in there. You can do the HA like the SonicWall, but far more secure and enterprise grade. The SonicWall is really an SMB device, which is fine as you are an SMB, but as a financial institution, I might be wanting something a little more serious.

I've heard you mention Palo Alto before. Any reason why you suggest them? (I will also do some research).

Additionally, if I were to switch to something like Palo Alta, do these devices have similar setup such as the SonicWall where I can directly connect our WAN modems? I'm looking at their racks now, it kinda looks like they do..

@dafyre said in Suggestions on replacing UTM device (SonicWall) and rebuilding security systems?:

Auditing the rules is never a bad idea!

If you're not experiencing performance issues, then why the push to change?

Well I just want to do things better if possible. Also, I need something that can put out better security reports.

or maybe I should just leave it as is, I don't know.

Hi guys. There was a post a while back where someone asked for suggestions to improve their network security. I got into a nice discussion/argument with Scott about UTMs, SonicWall and router/firewall stuff. Long story short, I've been slowly considering replacing my company's SonicWall an re-designing the whole security setup.

First, we are a small company of under 100 users, but we are also a financial institution, so security is especially critical. The admins before me had previously installed a SonicWall NSA 2400, which was later upgraded/replaced by a NSA 3600. Actually, we have two of these SonicWalls connected together for high hvailability/failover, but they act as one unit.

Currently, we have three WAN connections that connect to the SonicWall and that feeds our LAN and WLAN with Internet. We also use the SonicWall for static routes to a couple of 3rd party VPN routers. There are a boat-load of firewall rules and NAT policies which I have been slowly auditing. Many of them have turned out to be stagnant and no longer needed. Documentation here has been pretty bad so I'm making sure I've got all that cleared up before I make any big changes.

So far, I do like the SonicWall because of the simplicity of having everything in one device, but at the same time, I kind of hate it. It has an external security log analyzer system (called GMS Analyzer) which spits out custom reports, but displays information in the worst possible way, such that it's barely useful. I feel like I am pretty blind to any real security issues so I absolutely need something better in this area.

What I am after now is I would like to start considering some new hardware products/configurations that could be better for diving up the roles shared by the SonicWall.

So, can I get some suggestions on how I should be setting up the router/firewall & threat management pieces?

For clarity, here is a list of things we use the SonicWall for:

• Routing/NAT/Firewall (X1 LAN interface is our LAN's default gateway)
• Incoming WAN connections
• Wireless access management - (using SonicPoint APs)
• Gateway AV
• IDS/IPS
• SSLVPN
• Content filter
• Botnet filter
• Anti-spyware
• Security event analyzing & reporting

Note: we do also have regular antivirus running in our environment, as well as 3rd party email spam filtering, and a SIEM, so we don't just rely on the SonicWall for security.

@scottalanmiller Didn't you already post this a while back?

I used to use Vonage and it was like $24 a month and then when I cancelled, they tried to lower me down to $10. Vonage was great and the only reason I cancelled was because we have cell phones.

@jt1001001 said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

We order custom cables from Provisions Modular hardware. Their website is horrible but if you call them and set up an account they will do custom length patch cables or really any other cable you may need. Their website only lists by the foot but we've ordered custom 12.5ft cables for some of our racks without issues.
https://www.provisionsmod.com/

yeah their website need's some work...

I ended up just saying eff it and ordered from C2G

Turns out the thing I was looking for was LLDP protocol.

Sometimes, it's all in how you ask the question -_-

@mike-davis said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

Monoprice is my go to store, but doesn't offer the off sizes. This site has the half foot lengths, but I haven't ordered from them:
http://pactech-inc.com/product/cat6-cable-round-snagless-utp/

Nice find. Thanks!

@bnrstnr said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

I know it's not what you're asking for, but why not just make them to length?

I'd really rather not. I'm not very good at it and I don't have a lot of time.

@brianlittlejohn said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

First thought is to look at monoprice.com and see what they offer.

No size and a half footers..