@dashrender said in New customer - greenfield setup:

but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.

Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

These days, people will just use their cellular service anyway while in your office. All of your liability remains the same. It might feel like offering wifi exposes you, but if someone is going to sue you based on something downloaded or uploaded while on your premises, they will do so whether you made your network available or not.

@dashrender said in New customer - greenfield setup:

@jaredbusch said in New customer - greenfield setup:

@dashrender said in New customer - greenfield setup:

Should they go DNS filtering or NGFW with filtering subscription?

2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.

No matter what, someone that wants to work around this will. My phone, for example, would never even know that you blocked me because it always establishes a VPN first. So you'd know that I had a VPN, but that would be the end of it. All that SOPHOS magic, those certs, those IP blocks... none of it would ever show up. All that cost and me, not even trying to work around anything, would totally not be affected.

@dashrender said in New customer - greenfield setup:

@scottalanmiller said in New customer - greenfield setup:

@jaredbusch said in New customer - greenfield setup:

@scottalanmiller said in New customer - greenfield setup:

Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

Most common people will simply get the portal, tap anything it says and thus agree to it all. So yeah, you are wrong that no one does it.

Is that all that it takes to get the phone or computer to install the certs and hand over man in the middle access? I've not done it, because... only a crazy person would.... but I thought it took several steps and a lot of warnings from most mobile devices.

Yeah - there are a few warnings... but most people will simply accept it and start surfing - it's crazy... they have no clue what they are giving up. and even worse a surprising number wouldn't care even if you got them to actually understand it.

I think even if you carefully document it, you are at huge risk. Any banking breach, and you get blamed. Good luck proving you didn't use all the data you captured.

@krzykat said in Mobile Range Extender:

Yes, they want carrier independent. As for WIFI it is either there or can be, but then there is the issue of MMS doesn't work over WIFI. That is something they are looking for. The one's that I've done in the past were for specific use cases that were locked to the carrier (but that's not the use case here).

MMS doesn't work over wifi? It works here over wifi.

@jaredbusch said in Mobile Range Extender:

@scottalanmiller said in Mobile Range Extender:

@krzykat said in Mobile Range Extender:

Yes, they want carrier independent. As for WIFI it is either there or can be, but then there is the issue of MMS doesn't work over WIFI. That is something they are looking for. The one's that I've done in the past were for specific use cases that were locked to the carrier (but that's not the use case here).

MMS doesn't work over wifi? It works here over wifi.

You have T-Mobile (or did), they do everything over WiFi if the device supports it. Not all carriers do that.

Oh okay. It's not an MMS limitation then. It's a carrier limitation. They can limit anything if they want to.

@dashrender said in New customer - greenfield setup:

So the long and the short of it is - Scott is saying - no filtering is worth it, either on the employee side or the guest side.

i.e. the firewall is not a place to provide filtering (via either IP blocking or DNS website blocking) - there is not enough value if it has any cost.

Doing something simplish like Cloudflare's DNS filtering is worthwhile because there's no cost.

Yeah, I think that something simple like CloudFlare or even PiHole (or combine the two) can have good value because the cost is low and the value is basic.

Firewalls are an inappropriate place for that kind of filtering and it makes me question the quality of a firewall that starts to act like a general purpose server platform. If they don't think that a security device should be single purpose, are they really prepared to be your security vendor?

@dave247 said in New customer - greenfield setup:

I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.

That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.

@phlipelder said in Is xByte still recommended for server purchases around here?:

If something goes wrong on the NAS side there's not a lot that can be done. They are too cookie cutter.

Actually that's a reason that I like Synology. You can do almost anything to repair it because it's well known hardware with extremely well known enterprise software RAID that is portable to other devices both NAS and custom built.

@phlipelder said in Is xByte still recommended for server purchases around here?:

Build a purpose built box with XFS and keep it isolated from everywhere except a PAW that's nowhere near a perp entry point.

From that same Veeam thread, this will have the same problems. Appears that Veeam can only do its checksumming on a SAN via NTFS or ReFS (which I'm not sure I'd trust yet as it is known to be unstable until at least quite recently.) So, NTFS if you want to be safe. Which you can do on purpose built hardware, and on Linux, but just not with XFS (which SHOULD be the best option if Veeam knew how to handle their own storage properly) or ZFS (which should be a great option, too.)

I have my email account set as the catchall for our domain on Zoho so I get absolutely every stupid random spam crap that there could be and surprisingly, it's very little. It's a few a day, and gmail tends to get through the most. but because they send to fake accounts, I know instantly 100% that it is SPAM and mark it as such. Takes almost no effort, it's only a few a day, and does a lot to make our SPAM detection that much better before the team gets hit with it.

Mostly we are getting derailed. I think the bottom line items are this...

1. Yes, xByte is an excellent place to buy servers. Give them a try still.
2. Enterprise hardware has a reliability advantage over "business" hardware. That doesn't mean business hardware isn't usable, just be aware of the differences.
3. An enterprise Linux distro that you install and maintain yourself (or via a support partner) such as Ubuntu, Fedora, CentOS, Debian, RHEL, or Suse is simply better tested and supported than a lesser known non-enterprise disto that is commonly shipped with any black box style device (like a NAS.)
4. If you are using Veeam, then you want Veeam's data protection algorithms in place rather than relying on "blind" data protection algos on distance storage devices. Whether that means configuring your storage as a SAN or putting Veeam's agent on your Linux distro, one way or another you will be better served letting Veeam handle that layer of protection too. (This is because Veeam is often used in a "differential forever" style mode that incurs a huge amount of risk if not mitigated somehow.)

@phlipelder said in Is xByte still recommended for server purchases around here?:

That hasn't been my experience with any of the NAS vendors.
Even the Synology 2U NAS/SAN to NAS/SAN replication units that were supposed to be transparent to the Hyper-V cluster running in front of them. Synology refused to address our concerns with forum's posts that showed the promise was never fulfilled.

That's the thing, enterprise support never comes from the NAS vendors. They come from enterprise Linux support shops. This is the same even if you are using NetApp (but then a BSD support shop, obviously.) NAS, by definition, is a "black box" for people who don't want to support stuff. So the whole idea of enterprise support from a NAS vendor doesn't make too much sense. It's not an enterprise product, it's not for support technical use. Yes, some super technical people deploy them, but mostly when we want something really simple and we are going to support it completely ourselves or it is a cog that we can just replace.

If you want top end support for something like Synology, you can't get it from Synology themselves. Which makes the cost higher than it seems, and mostly defeats the purpose. So avoiding it can make sense if you need that, but it's different than not being available. You just have to treat it as a normal server and get nor system admin support resources. Then you can do effectively anything with it because it's just essentially a lower end SuperMicro chassis (not really, but super similar) and a stripped down really basic, slightly older Linux installation.

@phlipelder said in Is xByte still recommended for server purchases around here?:

No black boxes for critical data. Ever.

This is a good quote.

Should be, for critical workloads, though. Not only storage, but any component of it.

@siringo said in Simple NAS advice:

School needs a NAS. Only needs about 6TB capacity.
Was thinking of a 4 bay thing & using 2TB disks so disk rebuilds will be as quick as possible.
Any recommendations for the NAS and what disks to get?
Will be going into a Windows environment.

So for the RAID consideration....

SSD rebuilds faster than Spinners.
RAID 10 rebuilds faster than RAID 5.
RAID 5 rebuilds faster than RAID 6.
More drives rebuild more often than fewer drives.
Parity rebuilds are dramatically more impactful than mirror rebuilds.

You have to consider all of the factors.

If you are looking at spinners.... 2 6TB drives in RAID 1 almost certainly makes the most sense because rebuilds are not impactful, are decently fast, and you need to rebuild a drive half as often as with RAID 10 with 4x 3TB drives.

If you are looking at SSD.... then you need to do the math with current prices. But RAID 1 is going to have almost zero failures with very fast rebuilds. RAID 5 rebuilds of smaller drives will be slower because it is the CPU, not the IO, that is your bottleneck. So RAID 5 3x 3TB or 4x 2TB might be cheaper, and fast enough, but it will be slower than having RAID 1 or RAID 10.

@siringo said in Simple NAS advice:

Thanks everyone for your advice & help, it's great to get the opinions of others.

For backups ask yourself...

What actually matters?

1. Capacity. Likely you have a hard need of 6TB usable, so that's a pivot point.
2. Performance. You need enough to take your backups in your backup window and enough to restore at an acceptable pace. Figure out what this performance needs to be. This is a pivot point.
3. Why do you care about rebuild time? Rebuild time is just one factor in the pool and while it should be considered, it's not a very big deal in the grand scheme of things. It's a rare event, that should not take long (unless you screw up your array design royally), and you shouldn't be down while it happens, and even if you are, does that even matter (99.999% chance it does not for a school.)
4. Durability. How reliable does this device need to be? It's school backups, so probably not very but maybe. This obviously should not be your only backup, so it likely can be pretty ephemeral. But you don't want data being lost willy nilly. So that rules out RAID 5 on spinners because of durability.

@jaredbusch said in Simple NAS advice:

@pete-s said in Simple NAS advice:

@siringo said in Simple NAS advice:

School needs a NAS. Only needs about 6TB capacity.
Was thinking of a 4 bay thing & using 2TB disks so disk rebuilds will be as quick as possible.
Any recommendations for the NAS and what disks to get?
Will be going into a Windows environment.

If you need 6TB capacity, 4 bays with 2TB drives is not going to cut it. Well, not unless you want to run RAID-5.

You need 4TB drives if you want to run RAID-6, RAID-10 or have 2 independent RAID-1 arrays. Then you'll end up with about 7.1TB (TiB) of usable storage.

^ That..

Buy a simple 2-4 bay NAS and 2x 6TB drives and put them in R1 if you are worried about losing backups.
I just bought a pair of 8TB drives for my personal NAS for $120 each.
https://www.amazon.com/gp/product/B09CT7M3NX

Agreed. Two bay NAS, spinners, RAID 1. RAID 1 and done. Rule of thumb for storage... you always use RAID 1 until you can justify something else on the math. You want RAID 1 whenever possible because it is cheaper, simpler and reliable.

@notverypunny said in Simple NAS advice:

What about using a refurb (or new) full tower with 2 or 4 drives and a simple server OS install (Ubuntu, Fedora, opensuse or a more focused system like rockstor, freenas etc etc). That way you've got easily replaceable commodity hardware and eliminate dependancies on proprietary HW and probably reduce the timeframe for availability / application of software patches and security fixes.

With it being for a school, are you able to get discounted education pricing?

No question that it would work. Refurb isn't cheap like it used to be because of supply chain problems. Maybe if you find something a little old (not old old, just not new) you could do this effectively. Ubuntu, Fedora and OpenSuse or FreeBSD would be reasonable options.

@notverypunny said in Simple NAS advice:

or a more focused system like rockstor, freenas etc

These you'd want to avoid. This is the worst of all worlds. They require more technical knowledge than either of the other two options, have the worst support and package management, have the least business use experience because of the former. They lack the benefits of the NAS hardware, and lack the benefit of the well known, well supported generic operating systems.

@braswelljay said in Centralized Log Management:

I was hoping to see what others might be doing to address these kind of issues.

Most people don't have those issues. Retaining logs of a year is pretty much unheard of. Even Wall St. firms don't do that. Military might of course. But very few places can utilize a server log in real time, let alone a week old one and to start pouring through year old logs.... totally pointless.

While there are times this might make sense, dollars to donuts your "cybersecurity" team has no idea what they are doing and making completely bogus requirements because they sound good to management but have no technical (ergo security) merit. No one responds to an incident a year later. That's ridiculous.

Storing logs is expensive. Really expensive. No one does it. Not like that. It makes no sense. I'd ask for a pretty serious business explanation of how the cost of building, maintaining, and storing all that data is justified from their security response position. I guarantee once you ask them to explain, they'll be forced to admit they have no idea what they are doing.

https://aws.amazon.com/opensearch-service/the-elk-stack/what-is-opensearch/