Hi guys. There was a post a while back where someone asked for suggestions to improve their network security. I got into a nice discussion/argument with Scott about UTMs, SonicWall and router/firewall stuff. Long story short, I've been slowly considering replacing my company's SonicWall an re-designing the whole security setup.

First, we are a small company of under 100 users, but we are also a financial institution, so security is especially critical. The admins before me had previously installed a SonicWall NSA 2400, which was later upgraded/replaced by a NSA 3600. Actually, we have two of these SonicWalls connected together for high hvailability/failover, but they act as one unit.

Currently, we have three WAN connections that connect to the SonicWall and that feeds our LAN and WLAN with Internet. We also use the SonicWall for static routes to a couple of 3rd party VPN routers. There are a boat-load of firewall rules and NAT policies which I have been slowly auditing. Many of them have turned out to be stagnant and no longer needed. Documentation here has been pretty bad so I'm making sure I've got all that cleared up before I make any big changes.

So far, I do like the SonicWall because of the simplicity of having everything in one device, but at the same time, I kind of hate it. It has an external security log analyzer system (called GMS Analyzer) which spits out custom reports, but displays information in the worst possible way, such that it's barely useful. I feel like I am pretty blind to any real security issues so I absolutely need something better in this area.

What I am after now is I would like to start considering some new hardware products/configurations that could be better for diving up the roles shared by the SonicWall.

So, can I get some suggestions on how I should be setting up the router/firewall & threat management pieces?

For clarity, here is a list of things we use the SonicWall for:

• Routing/NAT/Firewall (X1 LAN interface is our LAN's default gateway)
• Incoming WAN connections
• Wireless access management - (using SonicPoint APs)
• Gateway AV
• IDS/IPS
• SSLVPN
• Content filter
• Botnet filter
• Anti-spyware
• Security event analyzing & reporting

Note: we do also have regular antivirus running in our environment, as well as 3rd party email spam filtering, and a SIEM, so we don't just rely on the SonicWall for security.

@scottalanmiller Didn't you already post this a while back?

I used to use Vonage and it was like $24 a month and then when I cancelled, they tried to lower me down to $10. Vonage was great and the only reason I cancelled was because we have cell phones.

@jt1001001 said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

We order custom cables from Provisions Modular hardware. Their website is horrible but if you call them and set up an account they will do custom length patch cables or really any other cable you may need. Their website only lists by the foot but we've ordered custom 12.5ft cables for some of our racks without issues.
https://www.provisionsmod.com/

yeah their website need's some work...

I ended up just saying eff it and ordered from C2G

Turns out the thing I was looking for was LLDP protocol.

Sometimes, it's all in how you ask the question -_-

@mike-davis said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

Monoprice is my go to store, but doesn't offer the off sizes. This site has the half foot lengths, but I haven't ordered from them:
http://pactech-inc.com/product/cat6-cable-round-snagless-utp/

Nice find. Thanks!

@bnrstnr said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

I know it's not what you're asking for, but why not just make them to length?

I'd really rather not. I'm not very good at it and I don't have a lot of time.

@brianlittlejohn said in Anyone know a place that sells booted Cat6 in feet: 5, 5.5, 6, 6.5, etc?:

First thought is to look at monoprice.com and see what they offer.

No size and a half footers..

Kind of dumb question I know.. But in the past, I've had to order from various different places to get the exact lengths I wanted. This results in slightly different colors and boots of patch cable.

I need to order Cat6 by the half foot in a number of lengths and colors and have them with the nice boot at the end (that's easy to push down and pull out). I'd like to order all from one place but it seems like I can only find places that meet part of my criteria. It's just maddening.

In the past, I've bought from newegg, cablesupply, deepsurplus, and a few others I can't recall..

@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

Why are you segregating voice and data traffic?

? The question is about how to get the devices onto their intended VLAN.

Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?

VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.

lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.

VLANs CAN be used for that. The most common reason is "error", at least in these examples.

VLANs when used for things like guest networks, that's security for sure, and very effective. Easy to enforce, clear separation of traffic.

When it comes to VoIP, VLANs aren't for security or management, not really. They don't affect security in any meaningful way, and they make management way harder.

Well, wouldn't one security measure count, such as preventing someone on the data network from sniffing voice traffic? I know it's not the primary solution but it's one additional measure.

@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

Why are you segregating voice and data traffic?

? The question is about how to get the devices onto their intended VLAN.

Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?

But, if we go a bit further. What kind of switches do you have?

Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500

No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.

I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.

VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.

But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.

So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?

Right. Ports 1-10 on VLAN 5, 11-24 on VLAN 0. As long as you control what gets plugged into them, the VLANs are essentially air tight.

Well what about a situation where you have computers that plug into phone sets, and then those phone sets connect to the network port on the wall? You'd need those phones to be tagged and the network traffic from the pc to be untagged, at least in my situation.

@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

Why are you segregating voice and data traffic?

? The question is about how to get the devices onto their intended VLAN.

Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?

But, if we go a bit further. What kind of switches do you have?

Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500

No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.

I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.

VLANs aren't a singular thing, just a general concept. They can be created in multiple ways. One of which is tagging, which is required for how you are using it here with the phones on shared "trunk" ports with the PCs.

But you can do port based VLAN as well, which has no protocol. This is a "Layer 1" VLAN where the port (on the switch) that is used determines the VLAN instead of a tag. With port based, you can use physical security to enforce the VLAN traffic and devices on the network can't violate the VLAN security to get around it.

So you mean like, put ports 1 - 10 on VLAN 5 thus forcing any devices plugged into those ports to be on that VLAN?

@scottalanmiller said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

Why are you segregating voice and data traffic?

? The question is about how to get the devices onto their intended VLAN.

Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?

But, if we go a bit further. What kind of switches do you have?

Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500

No security if done this way. You'd need to switch to port controlled VLAN in order to introduce any secure. If you do tagged like you have to here, the devices see all the VLANs at once and choose what traffic to send and receive - same as without a VLAN.

I don't quite understand what you mean here by port controlled VLAN, or the rest of your reply.

@travisdh1 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

Why are you segregating voice and data traffic?

? The question is about how to get the devices onto their intended VLAN.

Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?

VLAN isn't about security. A malicious actor only needs to guess the other VLAN id in order to access the other network quite often.

lol. I continually hear people saying conflicting things like this. VLANs are used for security and management purposes.

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

@dave247 said in Getting computers and phones on the correct VLAN regardless of switch port?:

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

Why are you segregating voice and data traffic?

? The question is about how to get the devices onto their intended VLAN.

Sure, and my question is why? How does this benefit the business? Is there a security reason to separating out voice and data traffic?

But, if we go a bit further. What kind of switches do you have?

Security requirement mainly. Switches are Dell PowerConnect N3000 and 5500

@coliver said in Getting computers and phones on the correct VLAN regardless of switch port?:

Why are you segregating voice and data traffic?

? The question is about how to get the devices onto their intended VLAN despite the switch port.

I'm not super experienced with VLANs yet, so I'm trying to wrap my head around this.

I have switches with only the data network running on the default VLAN ID 0, un-tagged. I want to add a new VLAN ID 5 for voice traffic. I want to have it so that no matter what switch port I plug in a computer or phone to, they end up on the correct VLAN.

To clarify even more: If I plug in a computer on switch port Gi0/0/3, it would only talk on the data VLAN.  If I plug in a phone set to switch port Gi0/0/3, it would only talk on the voice VLAN. In this case, I am assuming I would set all switch ports to trunk mode and then I would have to configure each one of the phone sets to have their Ethernet traffic tagged right away for VLAN 5.

This is the only way I can see it working. Otherwise, I would have to plug computers into data VLAN switch ports and phones into voice VLAN switch ports.

Do I have this right?

@jaredbusch said in Installing Google Chrome on Fedora 27:

@scottalanmiller said in Installing Google Chrome on Fedora 27:

Chrome is easy to install but isn't included in Fedora. Here is the quick and effective way to do it.

WTF?

sudo dnf install -y https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm

It's Scott, so of course it has to be unnecessarily over-complicated

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

There are places where router and firewall merge and can't be pulled apart - and that is NAT. A NAT translation is assumed to be part of the routing functions, but is a firewall. NAT literally makes the router and the firewall be the same component and function. Of course, in theory, you can have a router that doesn't do NAT, but in the real world, no one has made one since the early 1990s, and maybe not even then.

Exactly. When packets reach the NAT and have nowhere to go, they get dropped. That's firewall.

Yeah, NAT is also not the firewall.

But it is. NAT is a form of firewall. You can't NAT without firewall. But you also can't NAT without router. It's where the two are forced to overlap.

oh right... forgot about the base NAT policies. I was wrong there.

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dave247 I totally get your point that in most cases, routers and firewalls are different aspects of the device. And that is good for everyone to understand. But it is also important, I'd say far more important, for everyone to understand that in the real world, and for all utility even in the theoretical world, you can't have a router that isn't a firewall and anything that is a firewall can be a router.

It's less important that people understand that L3 Switches are always routers, but it is the same concept. If someone asks if you have a router in between point A and B and all you have there is an L3 switch, your answer is "yes".

The reason that it is more important that people understand that router always means firewall and firewall always means router (at least optionally) is because there is a new epidemic of people thinking firewall means something totally different and crazy things are being thought now - where people actually think that they have routers that aren't firewalls.

Ok I'm glad you get my point. This whole argument (just like many others on here and on SpiceWorks) has ultimately come down to semantics.