Posts made by Jimmy9008

Hi folks,

Would anybody be able to recommend IT Contractors/ITSP in Perth, Australia? Ideally ones you have worked with, which you know are good at their job.

We have a new office out there (acquisition) and the current providers we are using are making a mess of things, so may be looking to move to some other solution if they don't sort this out soon. They supported the company we purchased already so we initially decided to use them due to the existing good relationship and are starting to regret that.

What we need (overview only, and new hardware already on site):

• stack + configure two Dell N3000 switches

• configure Cisco ASA for existing internet line outbound, and internal interface, plus SSH for management, and ASDM

• physically migrate from old firewall to new, and old switches to new over a weekend (new properly managed cabling)

• configure new Dell server with datacenter 2019 core and Hyper-V enabled, setup redundant 10GB uplinks to new switch stack. Provide access over that weekend once completed for UK team to roll out DC, DNS, DHCP

• configure APC UPS for PowerChute network shutdown to turn off the host upon power outage

• connect two meraki MR33 to n3000

• label everything, document, and supply photos for our remote support teams

Do you know any resources out there which could accomplish this? We would of course discuss specifics that's just an overview.

Some of the issues we have with the current supplier:

• can't get the new ASA to work with the internet line. Can't figure out how to enable SSH on the ASA

• have installed 2019 datacenter GUI, not core. Did not enable hyper-v

• have not been able to stack the switches, have not been able to enable remote access to switches (webui/SSH/telnet)

Basically, little confidence left.

Cheers

@Dashrender said in Virtual WAF:

@DustinB3403 said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

This is the place to discuss this sort of thing. @Dashrender is just trying to ruffle feathers. Ignore him.

You may see it that way - I see this is a shift of - they no longer have money, so they are going to pawn off the responsibility to someone else - that's at minimum seemingly disrespectful.

It is. For sure. I get what you are saying. 100%. But that is the situation we are in, disrespectful or not. Until 2022 I will not have budget to put something perhaps more solid in place, so I need to put something in place for now until then. Discussing the situation wont help, I am at the stage of seeing what is possible to get us somewhere better than nothing.
If that makes sense?

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

So they believed they needed good security - hence why they looked/had Citrix stuff before (didn't know they did that), but now, because of budget, they no longer care about it... this is completely the wrong way to do things.. wow.

Now that's not to say they shouldn't reevaluate what they are doing - and find a solution that is more cost effective, but to go from a hugely expensive system (Citrix) to a free one is just asking to be hacked.

Also, you said this is now for IT to manage - uh.. what? It's always been for IT to manage.

Perhaps in other companies, yes. But not here, until now. The teams are very well defined and IT here is kept to core infrastructure only. As this infrastructure interacts with customers it is with a different team. That team has decided to cut their budget out and remove the component, and has said "IT, its now your problem" which until now had not been the case.

I am not here to discuss the particulars of where this should sit or not. I am asking for any thoughts on what WAF options are available, ideally at no direct cost.

If this forum is not one that is able to help and would rather comment on structures that are entirely outside of my control, ill go elsewhere.

@Obsolesce said in Virtual WAF:

@Jimmy9008 test or demo environments should never be any less secure than production.

Yes, I agree. Hence wanting to put something in place.

@Dashrender said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

They can't afford $20/m to protect this? does whatever they are doing even make sense to do?

Currently correct, no budget for this. What they want to do makes sense for them, but not for an IT perspective. The applications are demo environments which are shown to potential customers. We have many of these environments to demo the solutions globally.

The product team have decided they want to cut their budget this year and have cut out the WAF which sits in front of their demo applications. I believe they had some form of Citrix solution which sat in front of the webservers to do the higher layer checking like XSS/SQL Injection and stuff like that. Due to their decision, this now sits with IT.

Essentially, this is not in the IT budget and it is rigid. So most likely will be until 2022 until any budget is allowed at all for this. Crazy I know.

Hence, wanting something between the internet and their now less protected application at no real cost. ModSecurity or something like that looks like a good start.

@VoIP_n00b said in Virtual WAF:

Cloudflare Pro has a WAF but it's $20/month.

I don't think that would be a direction we would use. I like CF but it just wont happen here.

@DustinB3403 said in Virtual WAF:

@Jimmy9008 I've not used this before but it appears in multiple search engines near the top.

https://modsecurity.org/

Appears to have both free and paid options, and is open source.

That did pop up from an initial search online. Seems like a good point to start with. Thank you

@Obsolesce said in Virtual WAF:

@Jimmy9008 said in Virtual WAF:

We will soon have a few webservers/applications

Running on which webserver(s)?
What kind of web apps, what language?

As I understand the handling of web traffic is handled directly in the application using HTTP.sys and the application is written in ASP.NET

Hi folks,

Would anybody be able to recommend some virtual Web Application Firewalls? I have not looked at this before and want to see what options are available from you pro's before doing more online research.

We will soon have a few webservers/applications sitting behind HAProxy, which sits behind our ASA. Ideally we would be able to stick a WAF between HAProxy and the ASA. No budget for a physical box.

Probably no budget for a paid for virtual solution either. I hope to see something like HAProxy where it is free to use with a paid option.

Cheers

We use Dell SecureWorks MDR. Has been good so far. We get quarterly meetings and whenever anything questionable is seen in logs/scans/user usage, we are contacted.

Yes, my firewall guys have said we have the license available but do not use the feature.

Hi all,

Does anybody have any experience of TeamCity and Apache Tomcat? Our developers are seeing an issue and I disagree with their findings.

So, developers local to our London office are able to download TeamCity files from the local VM in London running TeamCity using Tomcat as the webserver at 40 - 50 MB/s. Clients in Aberdeen over VPN are only able to get 2 - 3 MB/s. Now, they are saying something is wrong with the network or traffic shaping which I disagree with.

What we have done:

• iperf, speeds between London and Aberdeen through the VPN are as expected.

• Tested using a copy on Windows between the servers. Speeds were 40 - 50 MB/s as expected. (VM on a server in Aberdeen to the server in London over UI using copy/paste).

• Setup an IIS webserver in London hosting the file, and can download the file from Aberdeen at 40 - 50 MB/s.

To me, this means the issue is with their Tomcat webserver or TeamCity. Same hardware/hosts/firewalls/tunnel, different webserver = better speeds.

Development built a proxy in London and can go to that proxy address from Aberdeen which sits between them and Tomcat and get 40 - 50 MB/s. They say this is proof of the traffic shaping/Network issue. Which makes no sense. The proxy is local to London, so just like clients is getting 40 -50 MB/s from Tomcat/server, and is able to successfully send to Aberdeen its self at 40/50. So, means the issue is still with Tomcat. Unless my logic is wrong?

Does anybody have any ideas here?

Cheers

@travisdh1 said in Hyper-V Failover Clustering:

@DustinB3403 said in Hyper-V Failover Clustering:

@travisdh1 The issues stem from the hypervisors being rebooted out of order, causing a server to start up before the DC which was on the other hypervisor.

Looking at different ways to try and remediate this from occurring again.

You never put a DC into an HA environment as all of that functionality is built into the DC itself, and trying to force it can create problems.

Best thing to do is have a DC on both hypervisors. Either another VM, or add the role to a current VM on the host.

I agree with one DC on each host. Otherwise, that is a lot of additional complexity to have a cluster and shared storage just for this one issue...

Is it weird that I don't have a home lab for the last few years? I have just been spinning up environments at work to learn things on when needed as the tech is likely work related anyway...

To clarify, the work lab environments are not running on production kit so no risk to them. Its old hardware that is new enough to keep, but old enough to not be prod. So, no risk to prod... why take up room at home...

This is what I expected but since I am not at that level wanted to check. I'm about 1/3 of the numbers he was throwing around, which I guess is why he was doing that, to try to entice you with the larger numbers. Cheers for confirming what I thought though, its always good to check and have access to a forum like this. Cheers.

Cheers folks, this is what I suspected. Appreciated as always!

Hi folks,

I am looking for some advise and would like to know if you have any experience of this. I have been contacted by a 'Career Management Solution' company after they found my CV online. Specifically, they sell a service to a professional where they market them to internal databases of FTSE100, FTSE250, DAX, CAC, Fortune500 companies. They note that these are specific databases where senior positions are filled without needing to go to more public sites like Monster.com, LinkedIn, Indeed and others and note that most senior positions are filled in such ways without going 'public'. Specifically, heads of departments and execs use the systems to find who they want and go direct, rather than placing adverts on job boards.

Other services of the solution include services such as:

• Fully sponsor and recommend your skills to several thousand key decision makers
• Market your skills to all relevant and targeted organizations proactively
• Update information for all Applicant Tracking Systems at senior level upwards
• Optimize your skills and content for head-hunter searches
• Add a new Skills Matrix to your online profiles on a weekly basis
• Maintain the ranking of your CV on all associated databases public and private
• Recommend you via multiple executive networks that have requested your details in the last 3 months
• Add you to the upper echelon of senior/exec recruiters as a free candidate (no placement fee attached), saving companies the additional recruitment cost for your appointment

Does this seem legitimate? I have not heard of closed off databases that top companies use rather than headhunters/recruiters, but I do not doubt that this could exist. Either way, this feels like a potential scam. I have only ever been recruited/headhunted which costs the hiring company money due to paying hiring fees to the recruiter/headhunter.

This company however says they do not charge the company but charge the candidate due to the service they provide and managing/promoting the candidate. The cost seems pretty expensive too at just below £1000, which is $1,400 USD.

What do you think? This does feel like a scam to me but I have no experience of these senior jobs or accessing them...

Best,
Jim

Troubleshooting v Reimage.

I don't know about you folk but where something is broken and the estimate is more than one hour to fix, we just reimage as it is faster and brings the machine to a known good state - providing not a hardware issue. Any book should cover something similar as I have seen lots of IT folk spend days on a problem (read, money), where they should just reimage.

@Pete-S said in How Many HCI Nodes for the SMB:

I was under the impression @Jimmy9008 worked in an enterprise size company, not SMB.

Anyway, it's hard to estimate what is needed because it depends on what a company does. To run a typical office you wouldn't need to run anything on-prem at all and the rest could be SaaS.

Certainly not enterprise. Not by a long way.

@scottalanmiller said in What makes a system HCI?:

@Jimmy9008 said in What makes a system HCI?:

@scottalanmiller said in What makes a system HCI?:

@Jimmy9008 said in What makes a system HCI?:

@scottalanmiller said in What makes a system HCI?:

@DustinB3403 said in What makes a system HCI?:

@Jimmy9008 said in What makes a system HCI?:

Maybe crappy HCI, but far better than three servers, connected to two switches, to one physical SAN which is what many here want.

I don't think anyone wants this, they are simply having the wool pulled over their eyes as someone steals their money.

I see it a lot, and it's always someone getting a little something from their buddy at the dealer.

Thats why I am specifically not doing this type of thing. As said, it may not be the top tier all bells and whistled HCI, but three nodes or more, with starwind vsan, running a windows failover cluster is 1) still HCI, and 2) better than doing an ipod.

Yup. As long as it's Starwind vSAN and not any Windows storage, it's actually really good. WIndows, Hyper-V, Starwind... all good components. It's really ReFS and SS that are scary and to be avoided. This isn't bad at all, actually.

Well, the CSV cluster storage is provided by Starwind on the same hosts to all hosts. They actually have these starwind image files on each of the nodes, where starwind runs, which contain the LUN/CSV/vSAN data...

Yes, I know how it works, lol. It's the fastest SAN tech on the market.

So it may not be the best solution to have 3 x nodes, clusterd, with starwind vSAN, but it is still a good solution, better than the old ipod setup. I can take that.