Re: OT: Guest network security

[Andrew S. Baker]

They bought Astaro a few years back...





*ASB
**http://XeeMe.com/AndrewBaker* *
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Thu, Feb 7, 2013 at 1:21 AM, Kurt Buff  wrote:

> I didn't know that Sophos had gotten into the hardware world.
>
> That's very interesting, and I'll have to take a look at it.
>
> Just as an aside - I think that wired end-point connectivity is going
> the way of the dodo, except for the most demanding loads, so it make a
> deal of sense for them to do that.
>
> Kurt
>
> On Wed, Feb 6, 2013 at 6:04 PM, Richard Stovall  wrote:
> > My bad.  I bought a Sophos AP 30 to go along with the firewall hardware.
> > This AP alone was about 45% of the total cost of the project, but I still
> > saved a good chunk of change over the SonicWall TZ + SonicPoint solution
> > that I had been planning on buying before finding the Sophos home
> license.
> >
> >
> > On Wed, Feb 6, 2013 at 8:42 PM, Kurt Buff  wrote:
> >>
> >> So your wireless is served elsewise?
> >>
> >> Kurt
> >>
> >> On Wed, Feb 6, 2013 at 5:31 PM, Richard Stovall 
> wrote:
> >> > I chose to build a new system so it would be small and silent rather
> >> > than
> >> > use an old computer lying around the house.
> >> >
> >> > I went with:
> >> >
> >> > Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz Atom
> CPU
> >> > with dual Intel NICs onboard)
> >> >
> >> > 4 GB RAM
> >> >
> >> > 128GB Vertex 4 SSD
> >> >
> >> > It has been in 'production' for a couple of weeks now, and is stable
> and
> >> > very fast.  I also really like having the content filtering and
> >> > antivirus
> >> > capabilities of a UTM firewall at home.
> >> >
> >> > The management interface is a little weird at first, but you get used
> to
> >> > it.
> >> >
> >> > I demo'ed the software in a VirtualBox VM for a week or so before
> >> > pulling
> >> > the trigger on the hardware expense.
> >> >
> >> > If anyone is interested, the page at Sophos describing the offering
> is:
> >> >
> >> >
> http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
> >> >
> >> >
> >> >
> >> > On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff 
> wrote:
> >> >>
> >> >> Our Sidewinders are EOL at the end of April, and my manager doesn't
> >> >> like
> >> >> them.
> >> >>
> >> >> He's a Cisco bigot, and wants ASAs in here.
> >> >>
> >> >> I'm fighting him to at least take a look at the Palo Alto platform,
> or
> >> >> perhaps the newest iteration of the Sidewinders (which are now called
> >> >> McAfee Enteprise Firewalls).
> >> >>
> >> >> That's an interesting tip on the Sophos solution. What did you use
> for
> >> >> the hardware?
> >> >>
> >> >> Kurt
> >> >>
> >> >> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> >> >> wrote:
> >> >> > I was going to suggest using the SonicPoint solution from
> SonicWall,
> >> >> > but
> >> >> > you've got Sidewinders, don't you?
> >> >> >
> >> >> > Does McAfee have anything like SonicWall's wireless solution where
> >> >> > it's
> >> >> > all
> >> >> > managed from the firewall?
> >> >> >
> >> >> > PS  Sophos has this too, and they give their UTM firewall away free
> >> >> > for
> >> >> > home
> >> >> > use.  Just bring your own hardware.  I just switched to this the
> >> >> > other
> >> >> > day
> >> >> > and love it so far.  I should write a blog post about it.  (But
> then
> >> >> > I'd
> >> >> > have to create a blog...)
> >> >> >
> >> >> >
> >> >> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
> >> >> > wrote:
> >> >> >>
> >> >> >> All,
> >> >> >>
> >> >> >> Quite some time ago, I set up an unsecured guest VLAN in our
> >> >> >> network,
> >> >> >> providing wireless access to all of the sundry devices that staff
> >> >> >> and
> >> >> >> visitors carry. I set up a small FreeBSD machine to serve IP
> >> >> >> addresses
> >> >> >> via DHCP, and that was dead simple.
> >> >> >>
> >> >> >> It is a layer2 VLAN, traversing our backbone, and terminating on
> our
> >> >> >> corporate firewall.
> >> >> >>
> >> >> >> However, there are now other tenants in our building, and the
> subnet
> >> >> >> is getting too much bandwidth and address consumption - the range
> I
> >> >> >> set up is completely filled, and the VLAN is consuming about half
> of
> >> >> >> our Internet pipe, which is far too much for my comfort.
> >> >> >>
> >> >> >> I suspect the other tenants are leeching.
> >> >> >>
> >> >> >> What I've read of captive portals seems to indicate that the
> portal
> >> >> >> is
> >> >> >> part of the firewall. I could be wrong about that, though.
> >> >> >> Regardless,
> >> >> >> the
> >> >> >> corporate firewall will not be allowed to be part of this
> solution.
> >> >> >>
> >> >> >> The only other alternative I see right now is to set up a password
> >> >> >> on
> >> >> >> the SSID, and have the front desk hand it out to guests, after
> >> >> >> mailing
> >> >> >> it to staff, and I'm getting pushback on that from my manager.
> >> >> >>
> 

Re: OT: Guest network security

[Andrew S. Baker]

LOL

It looks pretty good, but I need some more stuff.   This will be helpful
for me with smaller clients, though.  Rich!





*ASB
**http://XeeMe.com/AndrewBaker* *
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Wed, Feb 6, 2013 at 9:36 PM, Richard Stovall  wrote:

> I have to say, it is pretty cool to have basically the same features at
> home that I have at work, even if the two user interfaces are completely
> different.  I dropped a good chunk of change up front, but I'll come out
> way ahead over a period of 4+ years.  (At least compared to SonicWall
> pricing from a really good reseller.)
>
> Now, if the hardware dies, or Sophos drops the program, I'll be calling
> you for the name of your Fortinet vendor...  :)
>
>
>
>
>  On Wed, Feb 6, 2013 at 9:05 PM, Andrew S. Baker wrote:
>
>>  Whoa!!!  That looks awesome. Man, I could really have gone for that
>> a few weeks back.
>>
>> My Fortigate 40C arrives tomorrow. :)
>>
>>
>>
>>
>>
>> *ASB
>> **http://XeeMe.com/AndrewBaker* *
>> **Providing Virtual CIO Services (IT Operations & Information Security)
>> for the SMB market…***
>>
>>
>>
>>
>>
>> On Wed, Feb 6, 2013 at 8:31 PM, Richard Stovall wrote:
>>
>>> I chose to build a new system so it would be small and silent rather
>>> than use an old computer lying around the house.
>>>
>>> I went with:
>>>
>>> Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz Atom CPU
>>> with dual Intel NICs onboard)
>>>
>>> 4 GB RAM
>>>
>>> 128GB Vertex 4 SSD
>>>
>>> It has been in 'production' for a couple of weeks now, and is stable and
>>> very fast.  I also really like having the content filtering and
>>> antivirus capabilities of a UTM firewall at home.
>>>
>>> The management interface is a little weird at first, but you get used to
>>> it.
>>>
>>> I demo'ed the software in a VirtualBox VM for a week or so before
>>> pulling the trigger on the hardware expense.
>>>
>>> If anyone is interested, the page at Sophos describing the offering is:
>>> http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
>>>
>>>
>>>
>>> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
>>>
 Our Sidewinders are EOL at the end of April, and my manager doesn't
 like them.

 He's a Cisco bigot, and wants ASAs in here.

 I'm fighting him to at least take a look at the Palo Alto platform, or
 perhaps the newest iteration of the Sidewinders (which are now called
 McAfee Enteprise Firewalls).

 That's an interesting tip on the Sophos solution. What did you use for
 the hardware?

 Kurt

 On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
 wrote:
 > I was going to suggest using the SonicPoint solution from SonicWall,
 but
 > you've got Sidewinders, don't you?
 >
 > Does McAfee have anything like SonicWall's wireless solution where
 it's all
 > managed from the firewall?
 >
 > PS  Sophos has this too, and they give their UTM firewall away free
 for home
 > use.  Just bring your own hardware.  I just switched to this the
 other day
 > and love it so far.  I should write a blog post about it.  (But then
 I'd
 > have to create a blog...)
 >
 >
 > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
 wrote:
 >>
 >> All,
 >>
 >> Quite some time ago, I set up an unsecured guest VLAN in our network,
 >> providing wireless access to all of the sundry devices that staff and
 >> visitors carry. I set up a small FreeBSD machine to serve IP
 addresses
 >> via DHCP, and that was dead simple.
 >>
 >> It is a layer2 VLAN, traversing our backbone, and terminating on our
 >> corporate firewall.
 >>
 >> However, there are now other tenants in our building, and the subnet
 >> is getting too much bandwidth and address consumption - the range I
 >> set up is completely filled, and the VLAN is consuming about half of
 >> our Internet pipe, which is far too much for my comfort.
 >>
 >> I suspect the other tenants are leeching.
 >>
 >> What I've read of captive portals seems to indicate that the portal
 is
 >> part of the firewall. I could be wrong about that, though.
 Regardless, the
 >> corporate firewall will not be allowed to be part of this solution.
 >>
 >> The only other alternative I see right now is to set up a password on
 >> the SSID, and have the front desk hand it out to guests, after
 mailing
 >> it to staff, and I'm getting pushback on that from my manager.
 >>
 >> Does anyone have some ideas I could pursue on this?
 >>
 >> Thanks,
 >>
 >> Kurt
 >>
 >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 >> ~   ~
 >>
 >> ---
 >> To manage subscription

RE: OT: Guest network security

[Ziots, Edward]

Full Subscription... been using for last 3 months. Caught over 1000+ unique 
malware samples to include payloads and back-channels of what the malware will 
do and where it comes from.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Kevin Lundy [mailto:klu...@gmail.com]
Sent: Thursday, February 07, 2013 9:16 AM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

Are you still using the "free" entry level version, or have you upgraded to the 
paid subscription yet?

Thanks for the feedback.

On Thursday, February 7, 2013, Ziots, Edward wrote:
I Love the wildfire piece, its amazing what I get from it. 125% recommend that 
you turn it on if you haven't. The sandboxing reports I get I review and then 
update my security controls accordingly. Its been a real eye opener for some 
here.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Kevin Lundy 
[mailto:klu...@gmail.com]
Sent: Wednesday, February 06, 2013 4:42 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

Yep PA=Palo Alto

When we made the switch, our ASAs were due to be replaced.  Our Websense 
subscription was up for renewal at the same time.  The PA's were about the same 
price as new ASAs + Websense renewal.  Made for a no brainer decision.
Curious Z, are you using the Wildfire piece?
On Wed, Feb 6, 2013 at 4:08 PM, Ziots, Edward 
>
 wrote:
If you mean PA=Palo Alto, they are dead on (scary CCIE would say that being 
from the CISCO house) I work on Palo Alto Daily, and its sick how much these 
things can do.  Been finding a lot that I wouldn't have been able to obtain but 
regular firewall log parsing, and being able to quantifiy you own applications 
and make traffic rules based on them is pretty killer.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Kevin Lundy 
[mailto:klu...@gmail.com]
Sent: Wednesday, February 06, 2013 3:48 PM

To: NT System Admin Issues
Subject: Re: OT: Guest network security

I have two CCIE's that work for me.  Both also used to work for a Cisco VAR - 
so obviously Cisco bigots.  They both recommended PA to me over the ASA.  From 
a security perspective, the PA do so much more than ASAs.  We still use ASAs 
for some intranet firewalls.

Are you using the Cisco controllers with your WAPs?  If so, they have captive 
portal capability.  They call it Lobby Ambassador.
On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff 
>
 wrote:
Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or
perhaps the newest iteration of the Sidewinders (which are now called
McAfee Enteprise Firewalls).

That's an interesting tip on the Sophos solution. What did you use for
the hardware?

Kurt

On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> 
wrote:
> I was going to suggest 

Re: OT: Guest network security

[Kevin Lundy]

Are you still using the "free" entry level version, or have you upgraded to
the paid subscription yet?

Thanks for the feedback.

On Thursday, February 7, 2013, Ziots, Edward wrote:

>  I Love the wildfire piece, its amazing what I get from it. 125%
> recommend that you turn it on if you haven’t. The sandboxing reports I get
> I review and then update my security controls accordingly. Its been a real
> eye opener for some here. 
>
> ** **
>
> Z
>
> ** **
>
> Edward E. Ziots, CISSP, Security +, Network +
>
> Security Engineer
>
> Lifespan Organization
>
> ezi...@lifespan.org ***
> *
>
> ** **
>
> This electronic message and any attachments may be privileged and
> confidential and protected from disclosure. If you are reading this
> message, but are not the intended recipient, nor an employee or agent
> responsible for delivering this message to the intended recipient, you are
> hereby notified that you are strictly prohibited from copying, printing,
> forwarding or otherwise disseminating this communication. If you have
> received this communication in error, please immediately notify the sender
> by replying to the message. Then, delete the message from your computer.
> Thank you.
>
> *[image: Description: Description: Lifespan]*
>
> ** **
>
> ** **
>
> *From:* Kevin Lundy [mailto:klu...@gmail.com  'klu...@gmail.com');>]
> *Sent:* Wednesday, February 06, 2013 4:42 PM
> *To:* NT System Admin Issues
> *Subject:* Re: OT: Guest network security
>
> ** **
>
> Yep PA=Palo Alto
>
>  
>
> When we made the switch, our ASAs were due to be replaced.  Our Websense
> subscription was up for renewal at the same time.  The PA's were about the
> same price as new ASAs + Websense renewal.  Made for a no brainer decision.
> 
>
> Curious Z, are you using the Wildfire piece?
>
> On Wed, Feb 6, 2013 at 4:08 PM, Ziots, Edward 
> >
> wrote:
>
> If you mean PA=Palo Alto, they are dead on (scary CCIE would say that
> being from the CISCO house) I work on Palo Alto Daily, and its sick how
> much these things can do.  Been finding a lot that I wouldn’t have been
> able to obtain but regular firewall log parsing, and being able to
> quantifiy you own applications and make traffic rules based on them is
> pretty killer.
>
>  
>
> Z
>
>  
>
> Edward E. Ziots, CISSP, Security +, Network +
>
> Security Engineer
>
> Lifespan Organization
>
> ezi...@lifespan.org ***
> *
>
>  
>
> This electronic message and any attachments may be privileged and
> confidential and protected from disclosure. If you are reading this
> message, but are not the intended recipient, nor an employee or agent
> responsible for delivering this message to the intended recipient, you are
> hereby notified that you are strictly prohibited from copying, printing,
> forwarding or otherwise disseminating this communication. If you have
> received this communication in error, please immediately notify the sender
> by replying to the message. Then, delete the message from your computer.
> Thank you.
>
> *[image: Description: Description: Lifespan]*
>
>  
>
>  
>
> *From:* Kevin Lundy [mailto:klu...@gmail.com  'klu...@gmail.com');>]
> *Sent:* Wednesday, February 06, 2013 3:48 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: OT: Guest network security
>
>  
>
> I have two CCIE's that work for me.  Both also used to work for a Cisco
> VAR - so obviously Cisco bigots.  They both recommended PA to me over the
> ASA.  From a security perspective, the PA do so much more than ASAs.  We
> still use ASAs for some intranet firewalls.
>
>  
>
> Are you using the Cisco controllers with your WAPs?  If so, they have
> captive portal capability.  They call it Lobby Ambassador.
>
> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff 
> >
> wrote:
>
> Our Sidewinders are EOL at the end of April, and my manager doesn't like
> them.
>
> He's a Cisco bigot, and wants ASAs in here.
>
> I'm fighting him to at least take a look at the Palo Alto platform, or
> perhaps the newest iteration of the Sidewinders (which are now called
> McAfee Enteprise Firewalls).
>
> That's an interesting tip on the Sophos solution. What did you use for
> the hardware?
>
> Kurt
>
>
> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> >
> wrote:
> > I was going to suggest using the SonicPoint solution from SonicWall, but
> > you've got Sidewinders, don't you?
> >
> > Does M

RE: OT: Guest network security

[Ziots, Edward]

Honestly, the complexity is not that much harder than regular firewall 
administration. I have been using Palo's for about 1 yr+ and self taught just 
reading the admin manuals and working with my traffic patterns during work and 
been able to inspect a lot of traffic and do a lot of lockdown and I am using 
mine for FW, IPS and Web Filtering.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Wednesday, February 06, 2013 5:04 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

If you have someone to manage them, the PA devices are very, very robust.  But 
they do bring some complexity for all that power.






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Wed, Feb 6, 2013 at 4:45 PM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
We have 15 Cisco 1240AGs, which were apparently announced of End of
Sale, though EOL is apparently 2018..

No controller, but I just talked with our supplier, who is
recommending the 2504. There's a unit that comes with a 15-WAP
license, for not too expensive.

*Very* good to know about the captive portal capability.

The recommendation of CCIEs for the PA over the ASA is, well,
interesting. I wonder if I can find someone he will believe on that...

Kurt

On Wed, Feb 6, 2013 at 12:48 PM, Kevin Lundy 
mailto:klu...@gmail.com>> wrote:
> I have two CCIE's that work for me.  Both also used to work for a Cisco VAR
> - so obviously Cisco bigots.  They both recommended PA to me over the ASA.
> From a security perspective, the PA do so much more than ASAs.  We still use
> ASAs for some intranet firewalls.
>
> Are you using the Cisco controllers with your WAPs?  If so, they have
> captive portal capability.  They call it Lobby Ambassador.
>
> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff 
> mailto:kurt.b...@gmail.com>> wrote:
>>
>> Our Sidewinders are EOL at the end of April, and my manager doesn't like
>> them.
>>
>> He's a Cisco bigot, and wants ASAs in here.
>>
>> I'm fighting him to at least take a look at the Palo Alto platform, or
>> perhaps the newest iteration of the Sidewinders (which are now called
>> McAfee Enteprise Firewalls).
>>
>> That's an interesting tip on the Sophos solution. What did you use for
>> the hardware?
>>
>> Kurt
>>
>> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
>> mailto:rich...@gmail.com>>
>> wrote:
>> > I was going to suggest using the SonicPoint solution from SonicWall, but
>> > you've got Sidewinders, don't you?
>> >
>> > Does McAfee have anything like SonicWall's wireless solution where it's
>> > all
>> > managed from the firewall?
>> >
>> > PS  Sophos has this too, and they give their UTM firewall away free for
>> > home
>> > use.  Just bring your own hardware.  I just switched to this the other
>> > day
>> > and love it so far.  I should write a blog post about it.  (But then I'd
>> > have to create a blog...)
>> >
>> >
>> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
>> > mailto:kurt.b...@gmail.com>> wrote:
>> >>
>> >> All,
>> >>
>> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> >> providing wireless access to all of the sundry devices that staff and
>> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> >> via DHCP, and that was dead simple.
>> >>
>> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> >> corporate firewall.
>> >>
>> >> However, there are now other tenants in our building, and the subnet
>> >> is getting too much bandwidth and address consumption - the range I
>> >> set up is completely filled, and the VLAN is consuming about half of
>> >

RE: OT: Guest network security

[Ziots, Edward]

I will be learning Fortinet soon enough since we got a bunch of them in as 
replacements for Juniper's.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Wednesday, February 06, 2013 5:02 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

I'll choose a Fortinet over an ASA every day of the week...






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Wed, Feb 6, 2013 at 3:44 PM, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
LOL Cisco bigot... why is that sooo familiar. He would probably like Fortinet 
better if he knew the price and performance was way better than ASA's. ( Found 
those to be clugy)_

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org<mailto:ezi...@lifespan.org>

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.




-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>]
Sent: Wednesday, February 06, 2013 3:21 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security
Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or perhaps 
the newest iteration of the Sidewinders (which are now called McAfee Enteprise 
Firewalls).

That's an interesting tip on the Sophos solution. What did you use for the 
hardware?

Kurt

On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
mailto:rich...@gmail.com>> wrote:
> I was going to suggest using the SonicPoint solution from SonicWall,
> but you've got Sidewinders, don't you?
>
> Does McAfee have anything like SonicWall's wireless solution where
> it's all managed from the firewall?
>
> PS  Sophos has this too, and they give their UTM firewall away free
> for home use.  Just bring your own hardware.  I just switched to this
> the other day and love it so far.  I should write a blog post about
> it.  (But then I'd have to create a blog...)
>
>
> On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
> mailto:kurt.b...@gmail.com>> wrote:
>>
>> All,
>>
>> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> providing wireless access to all of the sundry devices that staff and
>> visitors carry. I set up a small FreeBSD machine to serve IP
>> addresses via DHCP, and that was dead simple.
>>
>> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> corporate firewall.
>>
>> However, there are now other tenants in our building, and the subnet
>> is getting too much bandwidth and address consumption - the range I
>> set up is completely filled, and the VLAN is consuming about half of
>> our Internet pipe, which is far too much for my comfort.
>>
>> I suspect the other tenants are leeching.
>>
>> What I've read of captive portals seems to indicate that the portal
>> is part of the firewall. I could be wrong about that, though.
>> Regardless, the corporate firewall will not be allowed to be part of this 
>> solution.
>>
>> The only other alternative I see right now is to set up a password on
>> the SSID, and have the front desk hand it out to guests, after
>> mailing it to staff, and I'm getting pushback on that from my manager.
>>
>> Does anyone have some ideas I could

RE: OT: Guest network security

[Ziots, Edward]

Adaptive out of Portsmouth NH is who we work with. All they do is PA….

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Pete Howard [mailto:pchow...@yahoo.com]
Sent: Wednesday, February 06, 2013 4:59 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

Anyone have a favorite VAR to work with for PA's ? A few of my usual vendors 
dont carry them


From: "Ziots, Edward" mailto:ezi...@lifespan.org>>
To: NT System Admin Issues 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Sent: Wednesday, February 6, 2013 4:08 PM
Subject: RE: OT: Guest network security

If you mean PA=Palo Alto, they are dead on (scary CCIE would say that being 
from the CISCO house) I work on Palo Alto Daily, and its sick how much these 
things can do.  Been finding a lot that I wouldn’t have been able to obtain but 
regular firewall log parsing, and being able to quantifiy you own applications 
and make traffic rules based on them is pretty killer.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org<mailto:ezi...@lifespan.org>

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Kevin Lundy [mailto:klu...@gmail.com]
Sent: Wednesday, February 06, 2013 3:48 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

I have two CCIE's that work for me.  Both also used to work for a Cisco VAR - 
so obviously Cisco bigots.  They both recommended PA to me over the ASA.  From 
a security perspective, the PA do so much more than ASAs.  We still use ASAs 
for some intranet firewalls.

Are you using the Cisco controllers with your WAPs?  If so, they have captive 
portal capability.  They call it Lobby Ambassador.
On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or
perhaps the newest iteration of the Sidewinders (which are now called
McAfee Enteprise Firewalls).

That's an interesting tip on the Sophos solution. What did you use for
the hardware?

Kurt

On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
mailto:rich...@gmail.com>> wrote:
> I was going to suggest using the SonicPoint solution from SonicWall, but
> you've got Sidewinders, don't you?
>
> Does McAfee have anything like SonicWall's wireless solution where it's all
> managed from the firewall?
>
> PS  Sophos has this too, and they give their UTM firewall away free for home
> use.  Just bring your own hardware.  I just switched to this the other day
> and love it so far.  I should write a blog post about it.  (But then I'd
> have to create a blog...)
>
>
> On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
> mailto:kurt.b...@gmail.com>> wrote:
>>
>> All,
>>
>> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> providing wireless access to all of the sundry devices that staff and
>> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> via DHCP, and that was dead simple.
>>
>> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> corporate firewall.
>>
>> However, there are now other tenants in our building, and the subnet
>> is getting too much bandwidth and address consumption - the range I
>> set up is completely filled, and the VLAN is consuming about half of
>> our Internet pipe, which is far too much for my comfort.
>

RE: OT: Guest network security

[Ziots, Edward]

Hell I'd vouche for the PA's for ya, because I have been working with them 
directly for about a year and done alot of lockdown based on the functionality 
that isn't in ASA's or other FW's I have worked with. 

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.




-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, February 06, 2013 4:45 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

We have 15 Cisco 1240AGs, which were apparently announced of End of Sale, 
though EOL is apparently 2018..

No controller, but I just talked with our supplier, who is recommending the 
2504. There's a unit that comes with a 15-WAP license, for not too expensive.

*Very* good to know about the captive portal capability.

The recommendation of CCIEs for the PA over the ASA is, well, interesting. I 
wonder if I can find someone he will believe on that...

Kurt

On Wed, Feb 6, 2013 at 12:48 PM, Kevin Lundy  wrote:
> I have two CCIE's that work for me.  Both also used to work for a 
> Cisco VAR
> - so obviously Cisco bigots.  They both recommended PA to me over the ASA.
> From a security perspective, the PA do so much more than ASAs.  We 
> still use ASAs for some intranet firewalls.
>
> Are you using the Cisco controllers with your WAPs?  If so, they have 
> captive portal capability.  They call it Lobby Ambassador.
>
> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
>>
>> Our Sidewinders are EOL at the end of April, and my manager doesn't 
>> like them.
>>
>> He's a Cisco bigot, and wants ASAs in here.
>>
>> I'm fighting him to at least take a look at the Palo Alto platform, 
>> or perhaps the newest iteration of the Sidewinders (which are now 
>> called McAfee Enteprise Firewalls).
>>
>> That's an interesting tip on the Sophos solution. What did you use 
>> for the hardware?
>>
>> Kurt
>>
>> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
>> wrote:
>> > I was going to suggest using the SonicPoint solution from 
>> > SonicWall, but you've got Sidewinders, don't you?
>> >
>> > Does McAfee have anything like SonicWall's wireless solution where 
>> > it's all managed from the firewall?
>> >
>> > PS  Sophos has this too, and they give their UTM firewall away free 
>> > for home use.  Just bring your own hardware.  I just switched to 
>> > this the other day and love it so far.  I should write a blog post 
>> > about it.  (But then I'd have to create a blog...)
>> >
>> >
>> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
>> >>
>> >> All,
>> >>
>> >> Quite some time ago, I set up an unsecured guest VLAN in our 
>> >> network, providing wireless access to all of the sundry devices 
>> >> that staff and visitors carry. I set up a small FreeBSD machine to 
>> >> serve IP addresses via DHCP, and that was dead simple.
>> >>
>> >> It is a layer2 VLAN, traversing our backbone, and terminating on 
>> >> our corporate firewall.
>> >>
>> >> However, there are now other tenants in our building, and the 
>> >> subnet is getting too much bandwidth and address consumption - the 
>> >> range I set up is completely filled, and the VLAN is consuming 
>> >> about half of our Internet pipe, which is far too much for my comfort.
>> >>
>> >> I suspect the other tenants are leeching.
>> >>
>> >> What I've read of captive portals seems to indicate that the 
>> >> portal is part of the firewall. I could be wrong about that, 
>> >> though. Regardless, the corporate firewall will not be allowed to 
>> >> be part of this solution.
>> >>
>> >> The only other alternative I see right now is to set up a password 
>> >> on the SSID, and have the front desk hand it out to guests, after 
>> >> mailing it to staff, and I'm g

RE: OT: Guest network security

[Ziots, Edward]

I Love the wildfire piece, its amazing what I get from it. 125% recommend that 
you turn it on if you haven't. The sandboxing reports I get I review and then 
update my security controls accordingly. Its been a real eye opener for some 
here.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Kevin Lundy [mailto:klu...@gmail.com]
Sent: Wednesday, February 06, 2013 4:42 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

Yep PA=Palo Alto

When we made the switch, our ASAs were due to be replaced.  Our Websense 
subscription was up for renewal at the same time.  The PA's were about the same 
price as new ASAs + Websense renewal.  Made for a no brainer decision.
Curious Z, are you using the Wildfire piece?
On Wed, Feb 6, 2013 at 4:08 PM, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
If you mean PA=Palo Alto, they are dead on (scary CCIE would say that being 
from the CISCO house) I work on Palo Alto Daily, and its sick how much these 
things can do.  Been finding a lot that I wouldn't have been able to obtain but 
regular firewall log parsing, and being able to quantifiy you own applications 
and make traffic rules based on them is pretty killer.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org<mailto:ezi...@lifespan.org>

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Kevin Lundy [mailto:klu...@gmail.com<mailto:klu...@gmail.com>]
Sent: Wednesday, February 06, 2013 3:48 PM

To: NT System Admin Issues
Subject: Re: OT: Guest network security

I have two CCIE's that work for me.  Both also used to work for a Cisco VAR - 
so obviously Cisco bigots.  They both recommended PA to me over the ASA.  From 
a security perspective, the PA do so much more than ASAs.  We still use ASAs 
for some intranet firewalls.

Are you using the Cisco controllers with your WAPs?  If so, they have captive 
portal capability.  They call it Lobby Ambassador.
On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or
perhaps the newest iteration of the Sidewinders (which are now called
McAfee Enteprise Firewalls).

That's an interesting tip on the Sophos solution. What did you use for
the hardware?

Kurt

On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
mailto:rich...@gmail.com>> wrote:
> I was going to suggest using the SonicPoint solution from SonicWall, but
> you've got Sidewinders, don't you?
>
> Does McAfee have anything like SonicWall's wireless solution where it's all
> managed from the firewall?
>
> PS  Sophos has this too, and they give their UTM firewall away free for home
> use.  Just bring your own hardware.  I just switched to this the other day
> and love it so far.  I should write a blog post about it.  (But then I'd
> have to create a blog...)
>
>
> On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
> mailto:kurt.b...@gmail.com>> wrote:
>>
>> All,
>>
>> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> providing wireless access to all of the sundry devices that staff and
>> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> via DHCP, and that was dead simple.
>>
>> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> corporate firewall.
>>
>> However, there are now other tenants in our building, a

RE: OT: Guest network security

[Ken Schaefer]

Wired connectivity is going to be around for a while - even for EUC. Lots of 
orgs (governments, banks etc.) have limited or no wireless available for 
various reasons.

Cheers
Ken

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Thursday, 7 February 2013 5:22 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

I didn't know that Sophos had gotten into the hardware world.

That's very interesting, and I'll have to take a look at it.

Just as an aside - I think that wired end-point connectivity is going the way 
of the dodo, except for the most demanding loads, so it make a deal of sense 
for them to do that.

Kurt

On Wed, Feb 6, 2013 at 6:04 PM, Richard Stovall  wrote:
> My bad.  I bought a Sophos AP 30 to go along with the firewall hardware.
> This AP alone was about 45% of the total cost of the project, but I 
> still saved a good chunk of change over the SonicWall TZ + SonicPoint 
> solution that I had been planning on buying before finding the Sophos home 
> license.
>
>
> On Wed, Feb 6, 2013 at 8:42 PM, Kurt Buff  wrote:
>>
>> So your wireless is served elsewise?
>>
>> Kurt
>>
>> On Wed, Feb 6, 2013 at 5:31 PM, Richard Stovall  wrote:
>> > I chose to build a new system so it would be small and silent 
>> > rather than use an old computer lying around the house.
>> >
>> > I went with:
>> >
>> > Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz 
>> > Atom CPU with dual Intel NICs onboard)
>> >
>> > 4 GB RAM
>> >
>> > 128GB Vertex 4 SSD
>> >
>> > It has been in 'production' for a couple of weeks now, and is 
>> > stable and very fast.  I also really like having the content 
>> > filtering and antivirus capabilities of a UTM firewall at home.
>> >
>> > The management interface is a little weird at first, but you get 
>> > used to it.
>> >
>> > I demo'ed the software in a VirtualBox VM for a week or so before 
>> > pulling the trigger on the hardware expense.
>> >
>> > If anyone is interested, the page at Sophos describing the offering is:
>> >
>> > http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edi
>> > tion.aspx


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[Kurt Buff]

I didn't know that Sophos had gotten into the hardware world.

That's very interesting, and I'll have to take a look at it.

Just as an aside - I think that wired end-point connectivity is going
the way of the dodo, except for the most demanding loads, so it make a
deal of sense for them to do that.

Kurt

On Wed, Feb 6, 2013 at 6:04 PM, Richard Stovall  wrote:
> My bad.  I bought a Sophos AP 30 to go along with the firewall hardware.
> This AP alone was about 45% of the total cost of the project, but I still
> saved a good chunk of change over the SonicWall TZ + SonicPoint solution
> that I had been planning on buying before finding the Sophos home license.
>
>
> On Wed, Feb 6, 2013 at 8:42 PM, Kurt Buff  wrote:
>>
>> So your wireless is served elsewise?
>>
>> Kurt
>>
>> On Wed, Feb 6, 2013 at 5:31 PM, Richard Stovall  wrote:
>> > I chose to build a new system so it would be small and silent rather
>> > than
>> > use an old computer lying around the house.
>> >
>> > I went with:
>> >
>> > Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz Atom CPU
>> > with dual Intel NICs onboard)
>> >
>> > 4 GB RAM
>> >
>> > 128GB Vertex 4 SSD
>> >
>> > It has been in 'production' for a couple of weeks now, and is stable and
>> > very fast.  I also really like having the content filtering and
>> > antivirus
>> > capabilities of a UTM firewall at home.
>> >
>> > The management interface is a little weird at first, but you get used to
>> > it.
>> >
>> > I demo'ed the software in a VirtualBox VM for a week or so before
>> > pulling
>> > the trigger on the hardware expense.
>> >
>> > If anyone is interested, the page at Sophos describing the offering is:
>> >
>> > http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
>> >
>> >
>> >
>> > On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
>> >>
>> >> Our Sidewinders are EOL at the end of April, and my manager doesn't
>> >> like
>> >> them.
>> >>
>> >> He's a Cisco bigot, and wants ASAs in here.
>> >>
>> >> I'm fighting him to at least take a look at the Palo Alto platform, or
>> >> perhaps the newest iteration of the Sidewinders (which are now called
>> >> McAfee Enteprise Firewalls).
>> >>
>> >> That's an interesting tip on the Sophos solution. What did you use for
>> >> the hardware?
>> >>
>> >> Kurt
>> >>
>> >> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
>> >> wrote:
>> >> > I was going to suggest using the SonicPoint solution from SonicWall,
>> >> > but
>> >> > you've got Sidewinders, don't you?
>> >> >
>> >> > Does McAfee have anything like SonicWall's wireless solution where
>> >> > it's
>> >> > all
>> >> > managed from the firewall?
>> >> >
>> >> > PS  Sophos has this too, and they give their UTM firewall away free
>> >> > for
>> >> > home
>> >> > use.  Just bring your own hardware.  I just switched to this the
>> >> > other
>> >> > day
>> >> > and love it so far.  I should write a blog post about it.  (But then
>> >> > I'd
>> >> > have to create a blog...)
>> >> >
>> >> >
>> >> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
>> >> > wrote:
>> >> >>
>> >> >> All,
>> >> >>
>> >> >> Quite some time ago, I set up an unsecured guest VLAN in our
>> >> >> network,
>> >> >> providing wireless access to all of the sundry devices that staff
>> >> >> and
>> >> >> visitors carry. I set up a small FreeBSD machine to serve IP
>> >> >> addresses
>> >> >> via DHCP, and that was dead simple.
>> >> >>
>> >> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> >> >> corporate firewall.
>> >> >>
>> >> >> However, there are now other tenants in our building, and the subnet
>> >> >> is getting too much bandwidth and address consumption - the range I
>> >> >> set up is completely filled, and the VLAN is consuming about half of
>> >> >> our Internet pipe, which is far too much for my comfort.
>> >> >>
>> >> >> I suspect the other tenants are leeching.
>> >> >>
>> >> >> What I've read of captive portals seems to indicate that the portal
>> >> >> is
>> >> >> part of the firewall. I could be wrong about that, though.
>> >> >> Regardless,
>> >> >> the
>> >> >> corporate firewall will not be allowed to be part of this solution.
>> >> >>
>> >> >> The only other alternative I see right now is to set up a password
>> >> >> on
>> >> >> the SSID, and have the front desk hand it out to guests, after
>> >> >> mailing
>> >> >> it to staff, and I'm getting pushback on that from my manager.
>> >> >>
>> >> >> Does anyone have some ideas I could pursue on this?
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >> Kurt
>> >> >>
>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >> >> ~   ~
>> >> >>
>> >> >> ---
>> >> >> To manage subscriptions click here:
>> >> >> http://lyris.sunbelt-software.com/read/my_forums/
>> >> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>> >> >> with the body: unsubscribe ntsysadmin
>> >> >
>> >> >
>> >> > ~ Finally, powerful endpo

Re: OT: Guest network security

[Richard Stovall]

I have to say, it is pretty cool to have basically the same features at
home that I have at work, even if the two user interfaces are completely
different.  I dropped a good chunk of change up front, but I'll come out
way ahead over a period of 4+ years.  (At least compared to SonicWall
pricing from a really good reseller.)

Now, if the hardware dies, or Sophos drops the program, I'll be calling you
for the name of your Fortinet vendor...  :)




On Wed, Feb 6, 2013 at 9:05 PM, Andrew S. Baker  wrote:

> Whoa!!!  That looks awesome. Man, I could really have gone for that a
> few weeks back.
>
> My Fortigate 40C arrives tomorrow. :)
>
>
>
>
>
> *ASB
> **http://XeeMe.com/AndrewBaker* *
> **Providing Virtual CIO Services (IT Operations & Information Security)
> for the SMB market…***
>
>
>
>
>
> On Wed, Feb 6, 2013 at 8:31 PM, Richard Stovall  wrote:
>
>> I chose to build a new system so it would be small and silent rather than
>> use an old computer lying around the house.
>>
>> I went with:
>>
>> Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz Atom CPU
>> with dual Intel NICs onboard)
>>
>> 4 GB RAM
>>
>> 128GB Vertex 4 SSD
>>
>> It has been in 'production' for a couple of weeks now, and is stable and
>> very fast.  I also really like having the content filtering and
>> antivirus capabilities of a UTM firewall at home.
>>
>> The management interface is a little weird at first, but you get used to
>> it.
>>
>> I demo'ed the software in a VirtualBox VM for a week or so before pulling
>> the trigger on the hardware expense.
>>
>> If anyone is interested, the page at Sophos describing the offering is:
>> http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
>>
>>
>>
>> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
>>
>>> Our Sidewinders are EOL at the end of April, and my manager doesn't like
>>> them.
>>>
>>> He's a Cisco bigot, and wants ASAs in here.
>>>
>>> I'm fighting him to at least take a look at the Palo Alto platform, or
>>> perhaps the newest iteration of the Sidewinders (which are now called
>>> McAfee Enteprise Firewalls).
>>>
>>> That's an interesting tip on the Sophos solution. What did you use for
>>> the hardware?
>>>
>>> Kurt
>>>
>>> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
>>> wrote:
>>> > I was going to suggest using the SonicPoint solution from SonicWall,
>>> but
>>> > you've got Sidewinders, don't you?
>>> >
>>> > Does McAfee have anything like SonicWall's wireless solution where
>>> it's all
>>> > managed from the firewall?
>>> >
>>> > PS  Sophos has this too, and they give their UTM firewall away free
>>> for home
>>> > use.  Just bring your own hardware.  I just switched to this the other
>>> day
>>> > and love it so far.  I should write a blog post about it.  (But then
>>> I'd
>>> > have to create a blog...)
>>> >
>>> >
>>> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
>>> >>
>>> >> All,
>>> >>
>>> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
>>> >> providing wireless access to all of the sundry devices that staff and
>>> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>>> >> via DHCP, and that was dead simple.
>>> >>
>>> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
>>> >> corporate firewall.
>>> >>
>>> >> However, there are now other tenants in our building, and the subnet
>>> >> is getting too much bandwidth and address consumption - the range I
>>> >> set up is completely filled, and the VLAN is consuming about half of
>>> >> our Internet pipe, which is far too much for my comfort.
>>> >>
>>> >> I suspect the other tenants are leeching.
>>> >>
>>> >> What I've read of captive portals seems to indicate that the portal is
>>> >> part of the firewall. I could be wrong about that, though.
>>> Regardless, the
>>> >> corporate firewall will not be allowed to be part of this solution.
>>> >>
>>> >> The only other alternative I see right now is to set up a password on
>>> >> the SSID, and have the front desk hand it out to guests, after mailing
>>> >> it to staff, and I'm getting pushback on that from my manager.
>>> >>
>>> >> Does anyone have some ideas I could pursue on this?
>>> >>
>>> >> Thanks,
>>> >>
>>> >> Kurt
>>> >>
>>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> >> ~   ~
>>> >>
>>> >> ---
>>> >> To manage subscriptions click here:
>>> >> http://lyris.sunbelt-software.com/read/my_forums/
>>> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> >> with the body: unsubscribe ntsysadmin
>>> >
>>> >
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~   ~
>>> >
>>> > ---
>>> > To manage subscriptions click here:
>>> > http://lyris.sunbelt-software.com/read/my_forums/
>>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>

RE: OT: Guest network security

[Jon Harris]

Last $dayjob$ before current I pushed the guest network to a DSL line and put a 
cheap Linksys SOHO router on it.  Kept the Production as closed as possible and 
guest had hours of operation.  I found our "neighbors" using our guest on more 
than a couple of occasions.  Politics plays a big part in these decisions.  I 
went at it that we were using x% of the T1 on average with y% being used at 
peak.  Since y was at or near capacity it was not hard to convince the powers 
that be that we would have to restrict what the staff was doing or put guest 
out on their own.  I did get permission to place limits on where we would 
secure the guest network before I even got it operational.  I was able to show 
our neighbor's signal strength would allow them to connect. Jon
 > Date: Wed, 6 Feb 2013 11:36:00 -0800
> Subject: OT: Guest network security
> From: kurt.b...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
> 
> All,
> 
> Quite some time ago, I set up an unsecured guest VLAN in our network,
> providing wireless access to all of the sundry devices that staff and
> visitors carry. I set up a small FreeBSD machine to serve IP addresses
> via DHCP, and that was dead simple.
> 
> It is a layer2 VLAN, traversing our backbone, and terminating on our
> corporate firewall.
> 
> However, there are now other tenants in our building, and the subnet
> is getting too much bandwidth and address consumption - the range I
> set up is completely filled, and the VLAN is consuming about half of
> our Internet pipe, which is far too much for my comfort.
> 
> I suspect the other tenants are leeching.
> 
> What I've read of captive portals seems to indicate that the portal is
> part of the firewall. I could be wrong about that, though. Regardless, the
> corporate firewall will not be allowed to be part of this solution.
> 
> The only other alternative I see right now is to set up a password on
> the SSID, and have the front desk hand it out to guests, after mailing
> it to staff, and I'm getting pushback on that from my manager.
> 
> Does anyone have some ideas I could pursue on this?
> 
> Thanks,
> 
> Kurt
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
  
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[Richard Stovall]

My bad.  I bought a Sophos AP 30 to go along with the firewall hardware.
 This AP alone was about 45% of the total cost of the project, but I still
saved a good chunk of change over the SonicWall TZ + SonicPoint solution
that I had been planning on buying before finding the Sophos home license.


On Wed, Feb 6, 2013 at 8:42 PM, Kurt Buff  wrote:

> So your wireless is served elsewise?
>
> Kurt
>
> On Wed, Feb 6, 2013 at 5:31 PM, Richard Stovall  wrote:
> > I chose to build a new system so it would be small and silent rather than
> > use an old computer lying around the house.
> >
> > I went with:
> >
> > Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz Atom CPU
> > with dual Intel NICs onboard)
> >
> > 4 GB RAM
> >
> > 128GB Vertex 4 SSD
> >
> > It has been in 'production' for a couple of weeks now, and is stable and
> > very fast.  I also really like having the content filtering and antivirus
> > capabilities of a UTM firewall at home.
> >
> > The management interface is a little weird at first, but you get used to
> it.
> >
> > I demo'ed the software in a VirtualBox VM for a week or so before pulling
> > the trigger on the hardware expense.
> >
> > If anyone is interested, the page at Sophos describing the offering is:
> >
> http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
> >
> >
> >
> > On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
> >>
> >> Our Sidewinders are EOL at the end of April, and my manager doesn't like
> >> them.
> >>
> >> He's a Cisco bigot, and wants ASAs in here.
> >>
> >> I'm fighting him to at least take a look at the Palo Alto platform, or
> >> perhaps the newest iteration of the Sidewinders (which are now called
> >> McAfee Enteprise Firewalls).
> >>
> >> That's an interesting tip on the Sophos solution. What did you use for
> >> the hardware?
> >>
> >> Kurt
> >>
> >> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> >> wrote:
> >> > I was going to suggest using the SonicPoint solution from SonicWall,
> but
> >> > you've got Sidewinders, don't you?
> >> >
> >> > Does McAfee have anything like SonicWall's wireless solution where
> it's
> >> > all
> >> > managed from the firewall?
> >> >
> >> > PS  Sophos has this too, and they give their UTM firewall away free
> for
> >> > home
> >> > use.  Just bring your own hardware.  I just switched to this the other
> >> > day
> >> > and love it so far.  I should write a blog post about it.  (But then
> I'd
> >> > have to create a blog...)
> >> >
> >> >
> >> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
> wrote:
> >> >>
> >> >> All,
> >> >>
> >> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
> >> >> providing wireless access to all of the sundry devices that staff and
> >> >> visitors carry. I set up a small FreeBSD machine to serve IP
> addresses
> >> >> via DHCP, and that was dead simple.
> >> >>
> >> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
> >> >> corporate firewall.
> >> >>
> >> >> However, there are now other tenants in our building, and the subnet
> >> >> is getting too much bandwidth and address consumption - the range I
> >> >> set up is completely filled, and the VLAN is consuming about half of
> >> >> our Internet pipe, which is far too much for my comfort.
> >> >>
> >> >> I suspect the other tenants are leeching.
> >> >>
> >> >> What I've read of captive portals seems to indicate that the portal
> is
> >> >> part of the firewall. I could be wrong about that, though.
> Regardless,
> >> >> the
> >> >> corporate firewall will not be allowed to be part of this solution.
> >> >>
> >> >> The only other alternative I see right now is to set up a password on
> >> >> the SSID, and have the front desk hand it out to guests, after
> mailing
> >> >> it to staff, and I'm getting pushback on that from my manager.
> >> >>
> >> >> Does anyone have some ideas I could pursue on this?
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Kurt
> >> >>
> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> >> ~   ~
> >> >>
> >> >> ---
> >> >> To manage subscriptions click here:
> >> >> http://lyris.sunbelt-software.com/read/my_forums/
> >> >> or send an email to listmana...@lyris.sunbeltsoftware.com
> >> >> with the body: unsubscribe ntsysadmin
> >> >
> >> >
> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> > ~   ~
> >> >
> >> > ---
> >> > To manage subscriptions click here:
> >> > http://lyris.sunbelt-software.com/read/my_forums/
> >> > or send an email to listmana...@lyris.sunbeltsoftware.com
> >> > with the body: unsubscribe ntsysadmin
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> ~   ~
> >>
> >> ---
> >> To manage subscriptions click here:
> >> http://lyris.sunbelt-software.com/read/my_forums/
> >> or

Re: OT: Guest network security

[Kurt Buff]

So your wireless is served elsewise?

Kurt

On Wed, Feb 6, 2013 at 5:31 PM, Richard Stovall  wrote:
> I chose to build a new system so it would be small and silent rather than
> use an old computer lying around the house.
>
> I went with:
>
> Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz Atom CPU
> with dual Intel NICs onboard)
>
> 4 GB RAM
>
> 128GB Vertex 4 SSD
>
> It has been in 'production' for a couple of weeks now, and is stable and
> very fast.  I also really like having the content filtering and antivirus
> capabilities of a UTM firewall at home.
>
> The management interface is a little weird at first, but you get used to it.
>
> I demo'ed the software in a VirtualBox VM for a week or so before pulling
> the trigger on the hardware expense.
>
> If anyone is interested, the page at Sophos describing the offering is:
> http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
>
>
>
> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
>>
>> Our Sidewinders are EOL at the end of April, and my manager doesn't like
>> them.
>>
>> He's a Cisco bigot, and wants ASAs in here.
>>
>> I'm fighting him to at least take a look at the Palo Alto platform, or
>> perhaps the newest iteration of the Sidewinders (which are now called
>> McAfee Enteprise Firewalls).
>>
>> That's an interesting tip on the Sophos solution. What did you use for
>> the hardware?
>>
>> Kurt
>>
>> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
>> wrote:
>> > I was going to suggest using the SonicPoint solution from SonicWall, but
>> > you've got Sidewinders, don't you?
>> >
>> > Does McAfee have anything like SonicWall's wireless solution where it's
>> > all
>> > managed from the firewall?
>> >
>> > PS  Sophos has this too, and they give their UTM firewall away free for
>> > home
>> > use.  Just bring your own hardware.  I just switched to this the other
>> > day
>> > and love it so far.  I should write a blog post about it.  (But then I'd
>> > have to create a blog...)
>> >
>> >
>> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
>> >>
>> >> All,
>> >>
>> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> >> providing wireless access to all of the sundry devices that staff and
>> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> >> via DHCP, and that was dead simple.
>> >>
>> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> >> corporate firewall.
>> >>
>> >> However, there are now other tenants in our building, and the subnet
>> >> is getting too much bandwidth and address consumption - the range I
>> >> set up is completely filled, and the VLAN is consuming about half of
>> >> our Internet pipe, which is far too much for my comfort.
>> >>
>> >> I suspect the other tenants are leeching.
>> >>
>> >> What I've read of captive portals seems to indicate that the portal is
>> >> part of the firewall. I could be wrong about that, though. Regardless,
>> >> the
>> >> corporate firewall will not be allowed to be part of this solution.
>> >>
>> >> The only other alternative I see right now is to set up a password on
>> >> the SSID, and have the front desk hand it out to guests, after mailing
>> >> it to staff, and I'm getting pushback on that from my manager.
>> >>
>> >> Does anyone have some ideas I could pursue on this?
>> >>
>> >> Thanks,
>> >>
>> >> Kurt
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >> ~   ~
>> >>
>> >> ---
>> >> To manage subscriptions click here:
>> >> http://lyris.sunbelt-software.com/read/my_forums/
>> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>> >> with the body: unsubscribe ntsysadmin
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~   ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://

Re: OT: Guest network security

[Richard Stovall]

I chose to build a new system so it would be small and silent rather than
use an old computer lying around the house.

I went with:

Intel D2500CCE fanless mini-ITX motherboard (Dual core 1.86 GHz Atom CPU
with dual Intel NICs onboard)

4 GB RAM

128GB Vertex 4 SSD

It has been in 'production' for a couple of weeks now, and is stable and
very fast.  I also really like having the content filtering and
antivirus capabilities of a UTM firewall at home.

The management interface is a little weird at first, but you get used to it.

I demo'ed the software in a VirtualBox VM for a week or so before pulling
the trigger on the hardware expense.

If anyone is interested, the page at Sophos describing the offering is:
http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx



On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:

> Our Sidewinders are EOL at the end of April, and my manager doesn't like
> them.
>
> He's a Cisco bigot, and wants ASAs in here.
>
> I'm fighting him to at least take a look at the Palo Alto platform, or
> perhaps the newest iteration of the Sidewinders (which are now called
> McAfee Enteprise Firewalls).
>
> That's an interesting tip on the Sophos solution. What did you use for
> the hardware?
>
> Kurt
>
> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> wrote:
> > I was going to suggest using the SonicPoint solution from SonicWall, but
> > you've got Sidewinders, don't you?
> >
> > Does McAfee have anything like SonicWall's wireless solution where it's
> all
> > managed from the firewall?
> >
> > PS  Sophos has this too, and they give their UTM firewall away free for
> home
> > use.  Just bring your own hardware.  I just switched to this the other
> day
> > and love it so far.  I should write a blog post about it.  (But then I'd
> > have to create a blog...)
> >
> >
> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
> >>
> >> All,
> >>
> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
> >> providing wireless access to all of the sundry devices that staff and
> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
> >> via DHCP, and that was dead simple.
> >>
> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
> >> corporate firewall.
> >>
> >> However, there are now other tenants in our building, and the subnet
> >> is getting too much bandwidth and address consumption - the range I
> >> set up is completely filled, and the VLAN is consuming about half of
> >> our Internet pipe, which is far too much for my comfort.
> >>
> >> I suspect the other tenants are leeching.
> >>
> >> What I've read of captive portals seems to indicate that the portal is
> >> part of the firewall. I could be wrong about that, though. Regardless,
> the
> >> corporate firewall will not be allowed to be part of this solution.
> >>
> >> The only other alternative I see right now is to set up a password on
> >> the SSID, and have the front desk hand it out to guests, after mailing
> >> it to staff, and I'm getting pushback on that from my manager.
> >>
> >> Does anyone have some ideas I could pursue on this?
> >>
> >> Thanks,
> >>
> >> Kurt
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> ~   ~
> >>
> >> ---
> >> To manage subscriptions click here:
> >> http://lyris.sunbelt-software.com/read/my_forums/
> >> or send an email to listmana...@lyris.sunbeltsoftware.com
> >> with the body: unsubscribe ntsysadmin
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[Andrew S. Baker]

Yes.  You can contact me off-line...





*ASB
**http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>*
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Wed, Feb 6, 2013 at 4:59 PM, Pete Howard  wrote:

> Anyone have a favorite VAR to work with for PA's ? A few of
> my usual vendors dont carry them
>
>   --
> *From:* "Ziots, Edward" 
> *To:* NT System Admin Issues 
> *Sent:* Wednesday, February 6, 2013 4:08 PM
> *Subject:* RE: OT: Guest network security
>
>   If you mean PA=Palo Alto, they are dead on (scary CCIE would say that
> being from the CISCO house) I work on Palo Alto Daily, and its sick how
> much these things can do.  Been finding a lot that I wouldn’t have been
> able to obtain but regular firewall log parsing, and being able to
> quantifiy you own applications and make traffic rules based on them is
> pretty killer.
>
> Z
>
> Edward E. Ziots, CISSP, Security +, Network +
> Security Engineer
> Lifespan Organization
> ezi...@lifespan.org
>
> This electronic message and any attachments may be privileged and
> confidential and protected from disclosure. If you are reading this
> message, but are not the intended recipient, nor an employee or agent
> responsible for delivering this message to the intended recipient, you are
> hereby notified that you are strictly prohibited from copying, printing,
> forwarding or otherwise disseminating this communication. If you have
> received this communication in error, please immediately notify the sender
> by replying to the message. Then, delete the message from your computer.
> Thank you.
> *[image: Description: Description: Lifespan]*
>
>
>  *From:* Kevin Lundy [mailto:klu...@gmail.com]
> *Sent:* Wednesday, February 06, 2013 3:48 PM
> *To:* NT System Admin Issues
> *Subject:* Re: OT: Guest network security
>
>  I have two CCIE's that work for me.  Both also used to work for a Cisco
> VAR - so obviously Cisco bigots.  They both recommended PA to me over the
> ASA.  From a security perspective, the PA do so much more than ASAs.  We
> still use ASAs for some intranet firewalls.
>
>  Are you using the Cisco controllers with your WAPs?  If so, they have
> captive portal capability.  They call it Lobby Ambassador.
>  On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
> Our Sidewinders are EOL at the end of April, and my manager doesn't like
> them.
>
> He's a Cisco bigot, and wants ASAs in here.
>
> I'm fighting him to at least take a look at the Palo Alto platform, or
> perhaps the newest iteration of the Sidewinders (which are now called
> McAfee Enteprise Firewalls).
>
> That's an interesting tip on the Sophos solution. What did you use for
> the hardware?
>
> Kurt
>
> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> wrote:
> > I was going to suggest using the SonicPoint solution from SonicWall, but
> > you've got Sidewinders, don't you?
> >
> > Does McAfee have anything like SonicWall's wireless solution where it's
> all
> > managed from the firewall?
> >
> > PS  Sophos has this too, and they give their UTM firewall away free for
> home
> > use.  Just bring your own hardware.  I just switched to this the other
> day
> > and love it so far.  I should write a blog post about it.  (But then I'd
> > have to create a blog...)
> >
> >
> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
> >>
>   >> All,
> >>
> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
> >> providing wireless access to all of the sundry devices that staff and
> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
> >> via DHCP, and that was dead simple.
> >>
> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
> >> corporate firewall.
> >>
> >> However, there are now other tenants in our building, and the subnet
> >> is getting too much bandwidth and address consumption - the range I
> >> set up is completely filled, and the VLAN is consuming about half of
> >> our Internet pipe, which is far too much for my comfort.
> >>
> >> I suspect the other tenants are leeching.
> >>
> >> What I've read of captive portals seems to indicate that the portal is
> >> part of the firewall. I could be wrong about that, though. Regardless,
> the
> >> corporate firewall will not be allowed to be part of this solution.
> >>
> >> The only other alternative I see right now is to set up a password on

Re: OT: Guest network security

[Andrew S. Baker]

I'll choose a Fortinet over an ASA every day of the week...





*ASB
**http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>*
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Wed, Feb 6, 2013 at 3:44 PM, Ziots, Edward  wrote:

> LOL Cisco bigot... why is that sooo familiar. He would probably like
> Fortinet better if he knew the price and performance was way better than
> ASA's. ( Found those to be clugy)_
>
> Z
>
> Edward E. Ziots, CISSP, Security +, Network +
> Security Engineer
> Lifespan Organization
> ezi...@lifespan.org
>
> This electronic message and any attachments may be privileged and
> confidential and protected from disclosure. If you are reading this
> message, but are not the intended recipient, nor an employee or agent
> responsible for delivering this message to the intended recipient, you are
> hereby notified that you are strictly prohibited from copying, printing,
> forwarding or otherwise disseminating this communication. If you have
> received this communication in error, please immediately notify the sender
> by replying to the message. Then, delete the message from your computer.
> Thank you.
>
>
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, February 06, 2013 3:21 PM
> To: NT System Admin Issues
> Subject: Re: OT: Guest network security
>
> Our Sidewinders are EOL at the end of April, and my manager doesn't like
> them.
>
> He's a Cisco bigot, and wants ASAs in here.
>
> I'm fighting him to at least take a look at the Palo Alto platform, or
> perhaps the newest iteration of the Sidewinders (which are now called
> McAfee Enteprise Firewalls).
>
> That's an interesting tip on the Sophos solution. What did you use for the
> hardware?
>
> Kurt
>
> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> wrote:
> > I was going to suggest using the SonicPoint solution from SonicWall,
> > but you've got Sidewinders, don't you?
> >
> > Does McAfee have anything like SonicWall's wireless solution where
> > it's all managed from the firewall?
> >
> > PS  Sophos has this too, and they give their UTM firewall away free
> > for home use.  Just bring your own hardware.  I just switched to this
> > the other day and love it so far.  I should write a blog post about
> > it.  (But then I'd have to create a blog...)
> >
> >
> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
> >>
> >> All,
> >>
> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
> >> providing wireless access to all of the sundry devices that staff and
> >> visitors carry. I set up a small FreeBSD machine to serve IP
> >> addresses via DHCP, and that was dead simple.
> >>
> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
> >> corporate firewall.
> >>
> >> However, there are now other tenants in our building, and the subnet
> >> is getting too much bandwidth and address consumption - the range I
> >> set up is completely filled, and the VLAN is consuming about half of
> >> our Internet pipe, which is far too much for my comfort.
> >>
> >> I suspect the other tenants are leeching.
> >>
> >> What I've read of captive portals seems to indicate that the portal
> >> is part of the firewall. I could be wrong about that, though.
> >> Regardless, the corporate firewall will not be allowed to be part of
> this solution.
> >>
> >> The only other alternative I see right now is to set up a password on
> >> the SSID, and have the front desk hand it out to guests, after
> >> mailing it to staff, and I'm getting pushback on that from my manager.
> >>
> >> Does anyone have some ideas I could pursue on this?
> >>
> >> Thanks,
> >>
> >> Kurt
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >>
> >> ---
> >> To manage subscriptions click here:
> >> http://lyris.sunbelt-software.com/read/my_forums/
> >> or send an email to listmana...@lyris.sunbeltsoftware.com
> >> with the body: unsubscribe ntsysadmin
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> > ---
> > To manage subscriptions click here

Re: OT: Guest network security

[Pete Howard]

Anyone have a favorite VAR to work with for PA's ? A few of my usual vendors dont carry them From: "Ziots, Edward"  To: NT System Admin Issues   Sent: Wednesday, February 6, 2013 4:08 PM Subject: RE:
 OT: Guest network security   


 
 




If you mean PA=Palo Alto, they are dead on (scary CCIE would say that being from the CISCO house) I work on Palo Alto Daily, and its sick how much these things
 can do.  Been finding a lot that I wouldn’t have been able to obtain but regular firewall log parsing, and being able to quantifiy you own applications and make traffic rules based on them is pretty killer. 
   
Z 
   
Edward E. Ziots, CISSP, Security +, Network + 
Security Engineer 
Lifespan Organization 
ezi...@lifespan.org 
   
This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the
 intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you
 have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. 
 
   
   

From: Kevin Lundy [mailto:klu...@gmail.com]

Sent: Wednesday, February 06, 2013 3:48 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security 

   

I have two CCIE's that work for me.  Both also used to work for a Cisco VAR - so obviously Cisco bigots.  They both recommended PA to me over the ASA.  From a security perspective, the PA do so much more than ASAs.  We still use ASAs for
 some intranet firewalls. 


  


Are you using the Cisco controllers with your WAPs?  If so, they have captive portal capability.  They call it Lobby Ambassador. 


On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff <kurt.b...@gmail.com> wrote: 
Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or
perhaps the newest iteration of the Sidewinders (which are now called
McAfee Enteprise Firewalls).

That's an interesting tip on the Sophos solution. What did you use for
the hardware?

Kurt 


On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall <rich...@gmail.com> wrote:
> I was going to suggest using the SonicPoint solution from SonicWall, but
> you've got Sidewinders, don't you?
>
> Does McAfee have anything like SonicWall's wireless solution where it's all
> managed from the firewall?
>
> PS  Sophos has this too, and they give their UTM firewall away free for home
> use.  Just bring your own hardware.  I just switched to this the other day
> and love it so far.  I should write a blog post about it.  (But then I'd
> have to create a blog...)
>
>
> On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>> 



>> All,
>>
>> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> providing wireless access to all of the sundry devices that staff and
>> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> via DHCP, and that was dead simple.
>>
>> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> corporate firewall.
>>
>> However, there are now other tenants in our building, and the subnet
>> is getting too much bandwidth and address consumption - the range I
>> set up is completely filled, and the VLAN is consuming about half of
>> our Internet pipe, which is far too much for my comfort.
>>
>> I suspect the other tenants are leeching.
>>
>> What I've read of captive portals seems to indicate that the portal is
>> part of the firewall. I could be wrong about that, though. Regardless, the
>> corporate firewall will not be allowed to be part of this solution.
>>
>> The only other alternative I see right now is to set up a password on
>> the SSID, and have the front desk hand it out to guests, after mailing
>> it to staff, and I'm getting pushback on that from my manager.
>>
>> Does anyone have some ideas I could pursue on this?
>>
>> Thanks,
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powe

Re: OT: Guest network security

[Kurt Buff]

We have 15 Cisco 1240AGs, which were apparently announced of End of
Sale, though EOL is apparently 2018..

No controller, but I just talked with our supplier, who is
recommending the 2504. There's a unit that comes with a 15-WAP
license, for not too expensive.

*Very* good to know about the captive portal capability.

The recommendation of CCIEs for the PA over the ASA is, well,
interesting. I wonder if I can find someone he will believe on that...

Kurt

On Wed, Feb 6, 2013 at 12:48 PM, Kevin Lundy  wrote:
> I have two CCIE's that work for me.  Both also used to work for a Cisco VAR
> - so obviously Cisco bigots.  They both recommended PA to me over the ASA.
> From a security perspective, the PA do so much more than ASAs.  We still use
> ASAs for some intranet firewalls.
>
> Are you using the Cisco controllers with your WAPs?  If so, they have
> captive portal capability.  They call it Lobby Ambassador.
>
> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
>>
>> Our Sidewinders are EOL at the end of April, and my manager doesn't like
>> them.
>>
>> He's a Cisco bigot, and wants ASAs in here.
>>
>> I'm fighting him to at least take a look at the Palo Alto platform, or
>> perhaps the newest iteration of the Sidewinders (which are now called
>> McAfee Enteprise Firewalls).
>>
>> That's an interesting tip on the Sophos solution. What did you use for
>> the hardware?
>>
>> Kurt
>>
>> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
>> wrote:
>> > I was going to suggest using the SonicPoint solution from SonicWall, but
>> > you've got Sidewinders, don't you?
>> >
>> > Does McAfee have anything like SonicWall's wireless solution where it's
>> > all
>> > managed from the firewall?
>> >
>> > PS  Sophos has this too, and they give their UTM firewall away free for
>> > home
>> > use.  Just bring your own hardware.  I just switched to this the other
>> > day
>> > and love it so far.  I should write a blog post about it.  (But then I'd
>> > have to create a blog...)
>> >
>> >
>> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
>> >>
>> >> All,
>> >>
>> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> >> providing wireless access to all of the sundry devices that staff and
>> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> >> via DHCP, and that was dead simple.
>> >>
>> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> >> corporate firewall.
>> >>
>> >> However, there are now other tenants in our building, and the subnet
>> >> is getting too much bandwidth and address consumption - the range I
>> >> set up is completely filled, and the VLAN is consuming about half of
>> >> our Internet pipe, which is far too much for my comfort.
>> >>
>> >> I suspect the other tenants are leeching.
>> >>
>> >> What I've read of captive portals seems to indicate that the portal is
>> >> part of the firewall. I could be wrong about that, though. Regardless,
>> >> the
>> >> corporate firewall will not be allowed to be part of this solution.
>> >>
>> >> The only other alternative I see right now is to set up a password on
>> >> the SSID, and have the front desk hand it out to guests, after mailing
>> >> it to staff, and I'm getting pushback on that from my manager.
>> >>
>> >> Does anyone have some ideas I could pursue on this?
>> >>
>> >> Thanks,
>> >>
>> >> Kurt
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >> ~   ~
>> >>
>> >> ---
>> >> To manage subscriptions click here:
>> >> http://lyris.sunbelt-software.com/read/my_forums/
>> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>> >> with the body: unsubscribe ntsysadmin
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~   ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-soft

Re: OT: Guest network security

[Kevin Lundy]

Yep PA=Palo Alto

When we made the switch, our ASAs were due to be replaced.  Our Websense
subscription was up for renewal at the same time.  The PA's were about the
same price as new ASAs + Websense renewal.  Made for a no brainer decision.
Curious Z, are you using the Wildfire piece?
On Wed, Feb 6, 2013 at 4:08 PM, Ziots, Edward  wrote:

>  If you mean PA=Palo Alto, they are dead on (scary CCIE would say that
> being from the CISCO house) I work on Palo Alto Daily, and its sick how
> much these things can do.  Been finding a lot that I wouldn’t have been
> able to obtain but regular firewall log parsing, and being able to
> quantifiy you own applications and make traffic rules based on them is
> pretty killer.
>
> ** **
>
> Z
>
> ** **
>
> Edward E. Ziots, CISSP, Security +, Network +
>
> Security Engineer
>
> Lifespan Organization
>
> ezi...@lifespan.org
>
> ** **
>
> This electronic message and any attachments may be privileged and
> confidential and protected from disclosure. If you are reading this
> message, but are not the intended recipient, nor an employee or agent
> responsible for delivering this message to the intended recipient, you are
> hereby notified that you are strictly prohibited from copying, printing,
> forwarding or otherwise disseminating this communication. If you have
> received this communication in error, please immediately notify the sender
> by replying to the message. Then, delete the message from your computer.
> Thank you.
>
> *[image: Description: Description: Lifespan]*
>
> ** **
>
> ** **
>
> *From:* Kevin Lundy [mailto:klu...@gmail.com]
> *Sent:* Wednesday, February 06, 2013 3:48 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: OT: Guest network security
>
>  ** **
>
> I have two CCIE's that work for me.  Both also used to work for a Cisco
> VAR - so obviously Cisco bigots.  They both recommended PA to me over the
> ASA.  From a security perspective, the PA do so much more than ASAs.  We
> still use ASAs for some intranet firewalls.
>
>  
>
> Are you using the Cisco controllers with your WAPs?  If so, they have
> captive portal capability.  They call it Lobby Ambassador.
>
> On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:
>
> Our Sidewinders are EOL at the end of April, and my manager doesn't like
> them.
>
> He's a Cisco bigot, and wants ASAs in here.
>
> I'm fighting him to at least take a look at the Palo Alto platform, or
> perhaps the newest iteration of the Sidewinders (which are now called
> McAfee Enteprise Firewalls).
>
> That's an interesting tip on the Sophos solution. What did you use for
> the hardware?
>
> Kurt
>
>
> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> wrote:
> > I was going to suggest using the SonicPoint solution from SonicWall, but
> > you've got Sidewinders, don't you?
> >
> > Does McAfee have anything like SonicWall's wireless solution where it's
> all
> > managed from the firewall?
> >
> > PS  Sophos has this too, and they give their UTM firewall away free for
> home
> > use.  Just bring your own hardware.  I just switched to this the other
> day
> > and love it so far.  I should write a blog post about it.  (But then I'd
> > have to create a blog...)
> >
> >
> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
> >>
>
> >> All,
> >>
> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
> >> providing wireless access to all of the sundry devices that staff and
> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
> >> via DHCP, and that was dead simple.
> >>
> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
> >> corporate firewall.
> >>
> >> However, there are now other tenants in our building, and the subnet
> >> is getting too much bandwidth and address consumption - the range I
> >> set up is completely filled, and the VLAN is consuming about half of
> >> our Internet pipe, which is far too much for my comfort.
> >>
> >> I suspect the other tenants are leeching.
> >>
> >> What I've read of captive portals seems to indicate that the portal is
> >> part of the firewall. I could be wrong about that, though. Regardless,
> the
> >> corporate firewall will not be allowed to be part of this solution.
> >>
> >> The only other alternative I see right now is to set up a password on
> >> the SSID, and have the front desk hand i

RE: OT: Guest network security

[Ziots, Edward]

If you mean PA=Palo Alto, they are dead on (scary CCIE would say that being 
from the CISCO house) I work on Palo Alto Daily, and its sick how much these 
things can do.  Been finding a lot that I wouldn't have been able to obtain but 
regular firewall log parsing, and being able to quantifiy you own applications 
and make traffic rules based on them is pretty killer.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Kevin Lundy [mailto:klu...@gmail.com]
Sent: Wednesday, February 06, 2013 3:48 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

I have two CCIE's that work for me.  Both also used to work for a Cisco VAR - 
so obviously Cisco bigots.  They both recommended PA to me over the ASA.  From 
a security perspective, the PA do so much more than ASAs.  We still use ASAs 
for some intranet firewalls.

Are you using the Cisco controllers with your WAPs?  If so, they have captive 
portal capability.  They call it Lobby Ambassador.
On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or
perhaps the newest iteration of the Sidewinders (which are now called
McAfee Enteprise Firewalls).

That's an interesting tip on the Sophos solution. What did you use for
the hardware?

Kurt

On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
mailto:rich...@gmail.com>> wrote:
> I was going to suggest using the SonicPoint solution from SonicWall, but
> you've got Sidewinders, don't you?
>
> Does McAfee have anything like SonicWall's wireless solution where it's all
> managed from the firewall?
>
> PS  Sophos has this too, and they give their UTM firewall away free for home
> use.  Just bring your own hardware.  I just switched to this the other day
> and love it so far.  I should write a blog post about it.  (But then I'd
> have to create a blog...)
>
>
> On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff 
> mailto:kurt.b...@gmail.com>> wrote:
>>
>> All,
>>
>> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> providing wireless access to all of the sundry devices that staff and
>> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> via DHCP, and that was dead simple.
>>
>> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> corporate firewall.
>>
>> However, there are now other tenants in our building, and the subnet
>> is getting too much bandwidth and address consumption - the range I
>> set up is completely filled, and the VLAN is consuming about half of
>> our Internet pipe, which is far too much for my comfort.
>>
>> I suspect the other tenants are leeching.
>>
>> What I've read of captive portals seems to indicate that the portal is
>> part of the firewall. I could be wrong about that, though. Regardless, the
>> corporate firewall will not be allowed to be part of this solution.
>>
>> The only other alternative I see right now is to set up a password on
>> the SSID, and have the front desk hand it out to guests, after mailing
>> it to staff, and I'm getting pushback on that from my manager.
>>
>> Does anyone have some ideas I could pursue on this?
>>
>> Thanks,
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to 
>> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
>> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click 

Re: OT: Guest network security

[Kevin Lundy]

I have two CCIE's that work for me.  Both also used to work for a Cisco VAR
- so obviously Cisco bigots.  They both recommended PA to me over the ASA.
>From a security perspective, the PA do so much more than ASAs.  We still
use ASAs for some intranet firewalls.

Are you using the Cisco controllers with your WAPs?  If so, they have
captive portal capability.  They call it Lobby Ambassador.

On Wed, Feb 6, 2013 at 3:20 PM, Kurt Buff  wrote:

> Our Sidewinders are EOL at the end of April, and my manager doesn't like
> them.
>
> He's a Cisco bigot, and wants ASAs in here.
>
> I'm fighting him to at least take a look at the Palo Alto platform, or
> perhaps the newest iteration of the Sidewinders (which are now called
> McAfee Enteprise Firewalls).
>
> That's an interesting tip on the Sophos solution. What did you use for
> the hardware?
>
> Kurt
>
> On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall 
> wrote:
> > I was going to suggest using the SonicPoint solution from SonicWall, but
> > you've got Sidewinders, don't you?
> >
> > Does McAfee have anything like SonicWall's wireless solution where it's
> all
> > managed from the firewall?
> >
> > PS  Sophos has this too, and they give their UTM firewall away free for
> home
> > use.  Just bring your own hardware.  I just switched to this the other
> day
> > and love it so far.  I should write a blog post about it.  (But then I'd
> > have to create a blog...)
> >
> >
> > On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
> >>
> >> All,
> >>
> >> Quite some time ago, I set up an unsecured guest VLAN in our network,
> >> providing wireless access to all of the sundry devices that staff and
> >> visitors carry. I set up a small FreeBSD machine to serve IP addresses
> >> via DHCP, and that was dead simple.
> >>
> >> It is a layer2 VLAN, traversing our backbone, and terminating on our
> >> corporate firewall.
> >>
> >> However, there are now other tenants in our building, and the subnet
> >> is getting too much bandwidth and address consumption - the range I
> >> set up is completely filled, and the VLAN is consuming about half of
> >> our Internet pipe, which is far too much for my comfort.
> >>
> >> I suspect the other tenants are leeching.
> >>
> >> What I've read of captive portals seems to indicate that the portal is
> >> part of the firewall. I could be wrong about that, though. Regardless,
> the
> >> corporate firewall will not be allowed to be part of this solution.
> >>
> >> The only other alternative I see right now is to set up a password on
> >> the SSID, and have the front desk hand it out to guests, after mailing
> >> it to staff, and I'm getting pushback on that from my manager.
> >>
> >> Does anyone have some ideas I could pursue on this?
> >>
> >> Thanks,
> >>
> >> Kurt
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> ~   ~
> >>
> >> ---
> >> To manage subscriptions click here:
> >> http://lyris.sunbelt-software.com/read/my_forums/
> >> or send an email to listmana...@lyris.sunbeltsoftware.com
> >> with the body: unsubscribe ntsysadmin
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: OT: Guest network security

[Ziots, Edward]

LOL Cisco bigot... why is that sooo familiar. He would probably like Fortinet 
better if he knew the price and performance was way better than ASA's. ( Found 
those to be clugy)_

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.




-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, February 06, 2013 3:21 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or perhaps 
the newest iteration of the Sidewinders (which are now called McAfee Enteprise 
Firewalls).

That's an interesting tip on the Sophos solution. What did you use for the 
hardware?

Kurt

On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall  wrote:
> I was going to suggest using the SonicPoint solution from SonicWall, 
> but you've got Sidewinders, don't you?
>
> Does McAfee have anything like SonicWall's wireless solution where 
> it's all managed from the firewall?
>
> PS  Sophos has this too, and they give their UTM firewall away free 
> for home use.  Just bring your own hardware.  I just switched to this 
> the other day and love it so far.  I should write a blog post about 
> it.  (But then I'd have to create a blog...)
>
>
> On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
>>
>> All,
>>
>> Quite some time ago, I set up an unsecured guest VLAN in our network, 
>> providing wireless access to all of the sundry devices that staff and 
>> visitors carry. I set up a small FreeBSD machine to serve IP 
>> addresses via DHCP, and that was dead simple.
>>
>> It is a layer2 VLAN, traversing our backbone, and terminating on our 
>> corporate firewall.
>>
>> However, there are now other tenants in our building, and the subnet 
>> is getting too much bandwidth and address consumption - the range I 
>> set up is completely filled, and the VLAN is consuming about half of 
>> our Internet pipe, which is far too much for my comfort.
>>
>> I suspect the other tenants are leeching.
>>
>> What I've read of captive portals seems to indicate that the portal 
>> is part of the firewall. I could be wrong about that, though. 
>> Regardless, the corporate firewall will not be allowed to be part of this 
>> solution.
>>
>> The only other alternative I see right now is to set up a password on 
>> the SSID, and have the front desk hand it out to guests, after 
>> mailing it to staff, and I'm getting pushback on that from my manager.
>>
>> Does anyone have some ideas I could pursue on this?
>>
>> Thanks,
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[Kurt Buff]

Our Sidewinders are EOL at the end of April, and my manager doesn't like them.

He's a Cisco bigot, and wants ASAs in here.

I'm fighting him to at least take a look at the Palo Alto platform, or
perhaps the newest iteration of the Sidewinders (which are now called
McAfee Enteprise Firewalls).

That's an interesting tip on the Sophos solution. What did you use for
the hardware?

Kurt

On Wed, Feb 6, 2013 at 11:59 AM, Richard Stovall  wrote:
> I was going to suggest using the SonicPoint solution from SonicWall, but
> you've got Sidewinders, don't you?
>
> Does McAfee have anything like SonicWall's wireless solution where it's all
> managed from the firewall?
>
> PS  Sophos has this too, and they give their UTM firewall away free for home
> use.  Just bring your own hardware.  I just switched to this the other day
> and love it so far.  I should write a blog post about it.  (But then I'd
> have to create a blog...)
>
>
> On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:
>>
>> All,
>>
>> Quite some time ago, I set up an unsecured guest VLAN in our network,
>> providing wireless access to all of the sundry devices that staff and
>> visitors carry. I set up a small FreeBSD machine to serve IP addresses
>> via DHCP, and that was dead simple.
>>
>> It is a layer2 VLAN, traversing our backbone, and terminating on our
>> corporate firewall.
>>
>> However, there are now other tenants in our building, and the subnet
>> is getting too much bandwidth and address consumption - the range I
>> set up is completely filled, and the VLAN is consuming about half of
>> our Internet pipe, which is far too much for my comfort.
>>
>> I suspect the other tenants are leeching.
>>
>> What I've read of captive portals seems to indicate that the portal is
>> part of the firewall. I could be wrong about that, though. Regardless, the
>> corporate firewall will not be allowed to be part of this solution.
>>
>> The only other alternative I see right now is to set up a password on
>> the SSID, and have the front desk hand it out to guests, after mailing
>> it to staff, and I'm getting pushback on that from my manager.
>>
>> Does anyone have some ideas I could pursue on this?
>>
>> Thanks,
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[Kurt Buff]

Looks like they were acquired by HP some time ago.

I'll take a look to see if they'll cooperate with our Cisco WAPs.

Kurt

On Wed, Feb 6, 2013 at 11:58 AM, Michael B. Smith  wrote:
> Colubris is at least one.
>
> Thanks for saying that, it jogged my memory.
>
> -Original Message-
> From: kz2...@googlemail.com [mailto:kz2...@googlemail.com]
> Sent: Wednesday, February 6, 2013 2:45 PM
> To: NT System Admin Issues
> Subject: Re: OT: Guest network security
>
> I remember seeing a solution that issued tickets with a network key for 
> guests as they came in. The name defeats me though, sorry
>
> Sent from my Blackberry, which may be an antique but delivers email RELIABLY
>
> -Original Message-
> From: Kurt Buff 
> Date: Wed, 6 Feb 2013 11:36:00
> To: NT System Admin Issues
> Reply-To: "NT System Admin Issues" 
> Subject: OT: Guest network security
>
> All,
>
> Quite some time ago, I set up an unsecured guest VLAN in our network, 
> providing wireless access to all of the sundry devices that staff and 
> visitors carry. I set up a small FreeBSD machine to serve IP addresses via 
> DHCP, and that was dead simple.
>
> It is a layer2 VLAN, traversing our backbone, and terminating on our 
> corporate firewall.
>
> However, there are now other tenants in our building, and the subnet is 
> getting too much bandwidth and address consumption - the range I set up is 
> completely filled, and the VLAN is consuming about half of our Internet pipe, 
> which is far too much for my comfort.
>
> I suspect the other tenants are leeching.
>
> What I've read of captive portals seems to indicate that the portal is part 
> of the firewall. I could be wrong about that, though. Regardless, the 
> corporate firewall will not be allowed to be part of this solution.
>
> The only other alternative I see right now is to set up a password on the 
> SSID, and have the front desk hand it out to guests, after mailing it to 
> staff, and I'm getting pushback on that from my manager.
>
> Does anyone have some ideas I could pursue on this?
>
> Thanks,
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[Kurt Buff]

Interesting - if you remember the name, I'll be interested in hearing it.

Kurt

On Wed, Feb 6, 2013 at 11:45 AM,   wrote:
> I remember seeing a solution that issued tickets with a network key for 
> guests as they came in. The name defeats me though, sorry
>
> Sent from my Blackberry, which may be an antique but delivers email RELIABLY
>
> -Original Message-
> From: Kurt Buff 
> Date: Wed, 6 Feb 2013 11:36:00
> To: NT System Admin Issues
> Reply-To: "NT System Admin Issues" 
> Subject: OT: Guest network security
>
> All,
>
> Quite some time ago, I set up an unsecured guest VLAN in our network,
> providing wireless access to all of the sundry devices that staff and
> visitors carry. I set up a small FreeBSD machine to serve IP addresses
> via DHCP, and that was dead simple.
>
> It is a layer2 VLAN, traversing our backbone, and terminating on our
> corporate firewall.
>
> However, there are now other tenants in our building, and the subnet
> is getting too much bandwidth and address consumption - the range I
> set up is completely filled, and the VLAN is consuming about half of
> our Internet pipe, which is far too much for my comfort.
>
> I suspect the other tenants are leeching.
>
> What I've read of captive portals seems to indicate that the portal is
> part of the firewall. I could be wrong about that, though. Regardless, the
> corporate firewall will not be allowed to be part of this solution.
>
> The only other alternative I see right now is to set up a password on
> the SSID, and have the front desk hand it out to guests, after mailing
> it to staff, and I'm getting pushback on that from my manager.
>
> Does anyone have some ideas I could pursue on this?
>
> Thanks,
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[Richard Stovall]

I was going to suggest using the SonicPoint solution from SonicWall, but
you've got Sidewinders, don't you?

Does McAfee have anything like SonicWall's wireless solution where it's all
managed from the firewall?

PS  Sophos has this too, and they give their UTM firewall away free for
home use.  Just bring your own hardware.  I just switched to this the other
day and love it so far.  I should write a blog post about it.  (But then
I'd have to create a blog...)


On Wed, Feb 6, 2013 at 2:36 PM, Kurt Buff  wrote:

> All,
>
> Quite some time ago, I set up an unsecured guest VLAN in our network,
> providing wireless access to all of the sundry devices that staff and
> visitors carry. I set up a small FreeBSD machine to serve IP addresses
> via DHCP, and that was dead simple.
>
> It is a layer2 VLAN, traversing our backbone, and terminating on our
> corporate firewall.
>
> However, there are now other tenants in our building, and the subnet
> is getting too much bandwidth and address consumption - the range I
> set up is completely filled, and the VLAN is consuming about half of
> our Internet pipe, which is far too much for my comfort.
>
> I suspect the other tenants are leeching.
>
> What I've read of captive portals seems to indicate that the portal is
> part of the firewall. I could be wrong about that, though. Regardless, the
> corporate firewall will not be allowed to be part of this solution.
>
> The only other alternative I see right now is to set up a password on
> the SSID, and have the front desk hand it out to guests, after mailing
> it to staff, and I'm getting pushback on that from my manager.
>
> Does anyone have some ideas I could pursue on this?
>
> Thanks,
>
> Kurt
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: OT: Guest network security

[Michael B. Smith]

Colubris is at least one.

Thanks for saying that, it jogged my memory.

-Original Message-
From: kz2...@googlemail.com [mailto:kz2...@googlemail.com] 
Sent: Wednesday, February 6, 2013 2:45 PM
To: NT System Admin Issues
Subject: Re: OT: Guest network security

I remember seeing a solution that issued tickets with a network key for guests 
as they came in. The name defeats me though, sorry

Sent from my Blackberry, which may be an antique but delivers email RELIABLY

-Original Message-
From: Kurt Buff 
Date: Wed, 6 Feb 2013 11:36:00
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: OT: Guest network security

All,

Quite some time ago, I set up an unsecured guest VLAN in our network, providing 
wireless access to all of the sundry devices that staff and visitors carry. I 
set up a small FreeBSD machine to serve IP addresses via DHCP, and that was 
dead simple.

It is a layer2 VLAN, traversing our backbone, and terminating on our corporate 
firewall.

However, there are now other tenants in our building, and the subnet is getting 
too much bandwidth and address consumption - the range I set up is completely 
filled, and the VLAN is consuming about half of our Internet pipe, which is far 
too much for my comfort.

I suspect the other tenants are leeching.

What I've read of captive portals seems to indicate that the portal is part of 
the firewall. I could be wrong about that, though. Regardless, the corporate 
firewall will not be allowed to be part of this solution.

The only other alternative I see right now is to set up a password on the SSID, 
and have the front desk hand it out to guests, after mailing it to staff, and 
I'm getting pushback on that from my manager.

Does anyone have some ideas I could pursue on this?

Thanks,

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: OT: Guest network security

[kz20fl]

I remember seeing a solution that issued tickets with a network key for guests 
as they came in. The name defeats me though, sorry

Sent from my Blackberry, which may be an antique but delivers email RELIABLY

-Original Message-
From: Kurt Buff 
Date: Wed, 6 Feb 2013 11:36:00 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: OT: Guest network security

All,

Quite some time ago, I set up an unsecured guest VLAN in our network,
providing wireless access to all of the sundry devices that staff and
visitors carry. I set up a small FreeBSD machine to serve IP addresses
via DHCP, and that was dead simple.

It is a layer2 VLAN, traversing our backbone, and terminating on our
corporate firewall.

However, there are now other tenants in our building, and the subnet
is getting too much bandwidth and address consumption - the range I
set up is completely filled, and the VLAN is consuming about half of
our Internet pipe, which is far too much for my comfort.

I suspect the other tenants are leeching.

What I've read of captive portals seems to indicate that the portal is
part of the firewall. I could be wrong about that, though. Regardless, the
corporate firewall will not be allowed to be part of this solution.

The only other alternative I see right now is to set up a password on
the SSID, and have the front desk hand it out to guests, after mailing
it to staff, and I'm getting pushback on that from my manager.

Does anyone have some ideas I could pursue on this?

Thanks,

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin