subject:"RE\: SMB firewall \(was RE\: VLAN N00b\)"

RE: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Martin Blackstone

Same here. Other than that they are awesome. 

-Original Message-
From: Kevin Lundy [mailto:klu...@gmail.com] 
Sent: Thursday, August 04, 2011 4:18 PM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

Yes.  Have two PAs clustered.  Love the security aspect.  Management console
performance is slw.

Kevin

On 8/4/11, Martin Blackstone  wrote:
> Have any of you guys checked out Palo Alto Networks?
>
>
>
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Thursday, August 04, 2011 3:18 PM
> To: NT System Admin Issues
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
>
>
> Are you saying that av/content filtering is you least important 
> criteria of all on a FW? Or that's it's the bottom of your must haves?
>
>
>
> From: Andrew S. Baker [mailto:asbz...@gmail.com]
> Sent: Thursday, August 04, 2011 12:23 PM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
>
>
> The features I find that I use the most are:
>
> * Firewall / VPN
> * IPS
> * .
> * .
> * .
> * AV / Content Filtering
>
>
>
>
> ASB
>
>
> http://about.me/Andrew.S.Baker
>
>
> Harnessing the Advantages of Technology for the SMB market.
>
>
>
> On Thu, Aug 4, 2011 at 10:38 AM, David Lum  wrote:
>
> And now I need to choose a firewall. Holy crap there are a multitude 
> of options, not the least of which are the various UTM (Unified Threat
> Management) options and reporting options.
>
> What kind of features do you guys find are key and are there any 
> features you thought you'd use but really don't?
>
> Dave
>
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
>
> Sent: Thursday, August 04, 2011 6:08 AM
> To: NT System Admin Issues
>
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
> Yep, what you describe is exactly what I was envisioning, thanks! (BTW 
> Dell also calls it tagging). Now to decide on a firewall. I called my 
> client last night and she was already onboard with my thinking "go 
> ahead and buy it or send me a link and I'll order it".
>
> I love clients that trust you enough that all you need to do is 
> explain the concept and benefits and they're ready to pull the 
> trigger, weird telling them "uh, I'm not ready to buy anything as I 
> need to decide on the exact product..." :-).
>
> It's also nice is knowing steering them to a managed switch 3 years 
> ago is going to pay off with this little project.
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, August 04, 2011 5:34 AM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
> On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
>> So ideally in your opinion the firewall would effectively give each 
>> VLAN (each VLAN defined by 802.1Q tags) it's own DHCP scope and thus 
>> their own IP settings, correct?
>
>  More or less.
>
>  I would separate your desired access groups into separate networks.
>
>  Conceptually, start with the idea that you have each group on a 
> different physical switch, each with its own DHCP server, and its own
>
>
> 
>
>  So upgrade the concept to a firewall that understands 802.1Q VLAN 
> tags.  Only one cable from the switch to the firewall.  Each separate 
> VLAN gets associated with that single cable, and the switch and 
> firewall use 802.1Q VLAN tags to know which isolated network a given 
> frame is for.
>
>  Only the switch port connected to the firewall emits or expects 
> frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk 
> port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the 
> other switch ports are on a single VLAN ("untagged" in HP-speak), and 
> just act like separate switches for the nodes which aren't aware of 
> the other networks.
>
>  Make sense?
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
&

RE: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Crawford, Scott

gotcha

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, August 04, 2011 6:55 PM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

It's the feature that my clients tend to use/implement the least frequently on 
a UTM device.

ASB

http://about.me/Andrew.S.Baker

Harnessing the Advantages of Technology for the SMB market...

On Thu, Aug 4, 2011 at 6:17 PM, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
Are you saying that av/content filtering is you least important criteria of all 
on a FW? Or that's it's the bottom of your must haves?

From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
Sent: Thursday, August 04, 2011 12:23 PM

To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

The features I find that I use the most are:

  *   Firewall / VPN
  *   IPS
  *   .
  *   .
  *   .
  *   AV / Content Filtering

ASB

http://about.me/Andrew.S.Baker

Harnessing the Advantages of Technology for the SMB market...

On Thu, Aug 4, 2011 at 10:38 AM, David Lum 
mailto:david@nwea.org>> wrote:
And now I need to choose a firewall. Holy crap there are a multitude of 
options, not the least of which are the various UTM (Unified Threat Management) 
options and reporting options.

What kind of features do you guys find are key and are there any features you 
thought you'd use but really don't?

Dave

-Original Message-
From: David Lum [mailto:david@nwea.org<mailto:david@nwea.org>]
Sent: Thursday, August 04, 2011 6:08 AM
To: NT System Admin Issues
Subject: RE: SMB firewall (was RE: VLAN N00b)

Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell 
also calls it tagging). Now to decide on a firewall. I called my client last 
night and she was already onboard with my thinking "go ahead and buy it or send 
me a link and I'll order it".

I love clients that trust you enough that all you need to do is explain the 
concept and benefits and they're ready to pull the trigger, weird telling them 
"uh, I'm not ready to buy anything as I need to decide on the exact product..." 
:-).

It's also nice is knowing steering them to a managed switch 3 years ago is 
going to pay off with this little project.

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com<mailto:mailvor...@gmail.com>]
Sent: Thursday, August 04, 2011 5:34 AM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

On Wed, Aug 3, 2011 at 4:42 PM, David Lum 
mailto:david@nwea.org>> wrote:
> So ideally in your opinion the firewall would effectively give
> each VLAN (each VLAN defined by 802.1Q tags) it's own
> DHCP scope and thus their own IP settings, correct?

 More or less.

 I would separate your desired access groups into separate networks.

 Conceptually, start with the idea that you have each group on a
different physical switch, each with its own DHCP server, and its own

 So upgrade the concept to a firewall that understands 802.1Q VLAN
tags.  Only one cable from the switch to the firewall.  Each separate
VLAN gets associated with that single cable, and the switch and
firewall use 802.1Q VLAN tags to know which isolated network a given
frame is for.

 Only the switch port connected to the firewall emits or expects
frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
other switch ports are on a single VLAN ("untagged" in HP-speak), and
just act like separate switches for the nodes which aren't aware of
the other networks.

 Make sense?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Andrew S. Baker

It's the feature that my clients tend to use/implement the least frequently
on a UTM device.



* *

*ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Thu, Aug 4, 2011 at 6:17 PM, Crawford, Scott wrote:

>  Are you saying that av/content filtering is you least important criteria
> of all on a FW? Or that’s it’s the bottom of your must haves?
>
> ** **
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Thursday, August 04, 2011 12:23 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: SMB firewall (was RE: VLAN N00b)
>
> ** **
>
> The features I find that I use the most are:
>
>- Firewall / VPN
>- IPS
>- .
>- .
>- .
>- AV / Content Filtering
>
> ** **
>
> *ASB*
>
> *http://about.me/Andrew.S.Baker*
>
> *Harnessing the Advantages of Technology for the SMB market…*
>
>
>
> 
>
> On Thu, Aug 4, 2011 at 10:38 AM, David Lum  wrote:
>
> And now I need to choose a firewall. Holy crap there are a multitude of
> options, not the least of which are the various UTM (Unified Threat
> Management) options and reporting options.
>
> What kind of features do you guys find are key and are there any features
> you thought you'd use but really don't?
>
> Dave
>
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
>
> Sent: Thursday, August 04, 2011 6:08 AM
> To: NT System Admin Issues
>
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
> Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell
> also calls it tagging). Now to decide on a firewall. I called my client last
> night and she was already onboard with my thinking "go ahead and buy it or
> send me a link and I'll order it".
>
> I love clients that trust you enough that all you need to do is explain the
> concept and benefits and they're ready to pull the trigger, weird telling
> them "uh, I'm not ready to buy anything as I need to decide on the exact
> product..." :-).
>
> It's also nice is knowing steering them to a managed switch 3 years ago is
> going to pay off with this little project.
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, August 04, 2011 5:34 AM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
> On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> > So ideally in your opinion the firewall would effectively give
> > each VLAN (each VLAN defined by 802.1Q tags) it's own
> > DHCP scope and thus their own IP settings, correct?
>
>  More or less.
>
>  I would separate your desired access groups into separate networks.
>
>  Conceptually, start with the idea that you have each group on a
> different physical switch, each with its own DHCP server, and its own
>
>
> 
>
>  So upgrade the concept to a firewall that understands 802.1Q VLAN
> tags.  Only one cable from the switch to the firewall.  Each separate
> VLAN gets associated with that single cable, and the switch and
> firewall use 802.1Q VLAN tags to know which isolated network a given
> frame is for.
>
>  Only the switch port connected to the firewall emits or expects
> frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
> port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
> other switch ports are on a single VLAN ("untagged" in HP-speak), and
> just act like separate switches for the nodes which aren't aware of
> the other networks.
>
>  Make sense?
>
> -- Ben
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Andrew S. Baker

Yes, and their stuff is awesome...  :)

A bit pricier than the range we're talking about, though.

* *

*ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Thu, Aug 4, 2011 at 6:58 PM, Martin Blackstone wrote:

> Have any of you guys checked out Palo Alto Networks?
>
> ** **
>
> *From:* Crawford, Scott [mailto:crawfo...@evangel.edu]
> *Sent:* Thursday, August 04, 2011 3:18 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: SMB firewall (was RE: VLAN N00b)
>
> ** **
>
> Are you saying that av/content filtering is you least important criteria of
> all on a FW? Or that’s it’s the bottom of your must haves?
>
> ** **
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Thursday, August 04, 2011 12:23 PM
> *To:* NT System Admin Issues
> *Subject:* Re: SMB firewall (was RE: VLAN N00b)
>
> ** **
>
> The features I find that I use the most are:
>
>- Firewall / VPN
>- IPS
>- .
>- .
>- .
>- AV / Content Filtering
>
> ** **
>
> *ASB*
>
> *http://about.me/Andrew.S.Baker*
>
> *Harnessing the Advantages of Technology for the SMB market…*
>
> ** **
>
> On Thu, Aug 4, 2011 at 10:38 AM, David Lum  wrote:
>
> And now I need to choose a firewall. Holy crap there are a multitude of
> options, not the least of which are the various UTM (Unified Threat
> Management) options and reporting options.
>
> What kind of features do you guys find are key and are there any features
> you thought you'd use but really don't?
>
> Dave
>
>
> -----Original Message-
> From: David Lum [mailto:david@nwea.org]
>
> Sent: Thursday, August 04, 2011 6:08 AM
> To: NT System Admin Issues
>
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
> Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell
> also calls it tagging). Now to decide on a firewall. I called my client last
> night and she was already onboard with my thinking "go ahead and buy it or
> send me a link and I'll order it".
>
> I love clients that trust you enough that all you need to do is explain the
> concept and benefits and they're ready to pull the trigger, weird telling
> them "uh, I'm not ready to buy anything as I need to decide on the exact
> product..." :-).
>
> It's also nice is knowing steering them to a managed switch 3 years ago is
> going to pay off with this little project.
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, August 04, 2011 5:34 AM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
> On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> > So ideally in your opinion the firewall would effectively give
> > each VLAN (each VLAN defined by 802.1Q tags) it's own
> > DHCP scope and thus their own IP settings, correct?
>
>  More or less.
>
>  I would separate your desired access groups into separate networks.
>
>  Conceptually, start with the idea that you have each group on a
> different physical switch, each with its own DHCP server, and its own
>
>
> 
>
>  So upgrade the concept to a firewall that understands 802.1Q VLAN
> tags.  Only one cable from the switch to the firewall.  Each separate
> VLAN gets associated with that single cable, and the switch and
> firewall use 802.1Q VLAN tags to know which isolated network a given
> frame is for.
>
>  Only the switch port connected to the firewall emits or expects
> frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
> port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
> other switch ports are on a single VLAN ("untagged" in HP-speak), and
> just act like separate switches for the nodes which aren't aware of
> the other networks.
>
>  Make sense?
>
> -- Ben
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Kevin Lundy

Yes.  Have two PAs clustered.  Love the security aspect.  Management
console performance is slw.

Kevin

On 8/4/11, Martin Blackstone  wrote:
> Have any of you guys checked out Palo Alto Networks?
>
>
>
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Thursday, August 04, 2011 3:18 PM
> To: NT System Admin Issues
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
>
>
> Are you saying that av/content filtering is you least important criteria of
> all on a FW? Or that's it's the bottom of your must haves?
>
>
>
> From: Andrew S. Baker [mailto:asbz...@gmail.com]
> Sent: Thursday, August 04, 2011 12:23 PM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
>
>
> The features I find that I use the most are:
>
> * Firewall / VPN
> * IPS
> * .
> * .
> * .
> * AV / Content Filtering
>
>
>
>
> ASB
>
>
> http://about.me/Andrew.S.Baker
>
>
> Harnessing the Advantages of Technology for the SMB market.
>
>
>
> On Thu, Aug 4, 2011 at 10:38 AM, David Lum  wrote:
>
> And now I need to choose a firewall. Holy crap there are a multitude of
> options, not the least of which are the various UTM (Unified Threat
> Management) options and reporting options.
>
> What kind of features do you guys find are key and are there any features
> you thought you'd use but really don't?
>
> Dave
>
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
>
> Sent: Thursday, August 04, 2011 6:08 AM
> To: NT System Admin Issues
>
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
> Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell
> also calls it tagging). Now to decide on a firewall. I called my client last
> night and she was already onboard with my thinking "go ahead and buy it or
> send me a link and I'll order it".
>
> I love clients that trust you enough that all you need to do is explain the
> concept and benefits and they're ready to pull the trigger, weird telling
> them "uh, I'm not ready to buy anything as I need to decide on the exact
> product..." :-).
>
> It's also nice is knowing steering them to a managed switch 3 years ago is
> going to pay off with this little project.
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, August 04, 2011 5:34 AM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
> On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
>> So ideally in your opinion the firewall would effectively give
>> each VLAN (each VLAN defined by 802.1Q tags) it's own
>> DHCP scope and thus their own IP settings, correct?
>
>  More or less.
>
>  I would separate your desired access groups into separate networks.
>
>  Conceptually, start with the idea that you have each group on a
> different physical switch, each with its own DHCP server, and its own
>
>
> 
>
>  So upgrade the concept to a firewall that understands 802.1Q VLAN
> tags.  Only one cable from the switch to the firewall.  Each separate
> VLAN gets associated with that single cable, and the switch and
> firewall use 802.1Q VLAN tags to know which isolated network a given
> frame is for.
>
>  Only the switch port connected to the firewall emits or expects
> frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
> port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
> other switch ports are on a single VLAN ("untagged" in HP-speak), and
> just act like separate switches for the nodes which aren't aware of
> the other networks.
>
>  Make sense?
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions cli

RE: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Martin Blackstone

Have any of you guys checked out Palo Alto Networks?

From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Thursday, August 04, 2011 3:18 PM
To: NT System Admin Issues
Subject: RE: SMB firewall (was RE: VLAN N00b)

Are you saying that av/content filtering is you least important criteria of
all on a FW? Or that's it's the bottom of your must haves?

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Thursday, August 04, 2011 12:23 PM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

The features I find that I use the most are:

*   Firewall / VPN
*   IPS
*   .
*   .
*   .
*   AV / Content Filtering

ASB

http://about.me/Andrew.S.Baker

Harnessing the Advantages of Technology for the SMB market.

On Thu, Aug 4, 2011 at 10:38 AM, David Lum  wrote:

And now I need to choose a firewall. Holy crap there are a multitude of
options, not the least of which are the various UTM (Unified Threat
Management) options and reporting options.

What kind of features do you guys find are key and are there any features
you thought you'd use but really don't?

Dave

-Original Message-
From: David Lum [mailto:david@nwea.org]

Sent: Thursday, August 04, 2011 6:08 AM
To: NT System Admin Issues

Subject: RE: SMB firewall (was RE: VLAN N00b)

Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell
also calls it tagging). Now to decide on a firewall. I called my client last
night and she was already onboard with my thinking "go ahead and buy it or
send me a link and I'll order it".

I love clients that trust you enough that all you need to do is explain the
concept and benefits and they're ready to pull the trigger, weird telling
them "uh, I'm not ready to buy anything as I need to decide on the exact
product..." :-).

It's also nice is knowing steering them to a managed switch 3 years ago is
going to pay off with this little project.

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Thursday, August 04, 2011 5:34 AM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> So ideally in your opinion the firewall would effectively give
> each VLAN (each VLAN defined by 802.1Q tags) it's own
> DHCP scope and thus their own IP settings, correct?

 More or less.

 I would separate your desired access groups into separate networks.

 Conceptually, start with the idea that you have each group on a
different physical switch, each with its own DHCP server, and its own

 So upgrade the concept to a firewall that understands 802.1Q VLAN
tags.  Only one cable from the switch to the firewall.  Each separate
VLAN gets associated with that single cable, and the switch and
firewall use 802.1Q VLAN tags to know which isolated network a given
frame is for.

 Only the switch port connected to the firewall emits or expects
frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
other switch ports are on a single VLAN ("untagged" in HP-speak), and
just act like separate switches for the nodes which aren't aware of
the other networks.

 Make sense?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
wi

RE: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Crawford, Scott

Are you saying that av/content filtering is you least important criteria of all 
on a FW? Or that's it's the bottom of your must haves?

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, August 04, 2011 12:23 PM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

The features I find that I use the most are:

  *   Firewall / VPN
  *   IPS
  *   .
  *   .
  *   .
  *   AV / Content Filtering

ASB

http://about.me/Andrew.S.Baker

Harnessing the Advantages of Technology for the SMB market...

On Thu, Aug 4, 2011 at 10:38 AM, David Lum 
mailto:david@nwea.org>> wrote:
And now I need to choose a firewall. Holy crap there are a multitude of 
options, not the least of which are the various UTM (Unified Threat Management) 
options and reporting options.

What kind of features do you guys find are key and are there any features you 
thought you'd use but really don't?

Dave

-Original Message-
From: David Lum [mailto:david@nwea.org<mailto:david@nwea.org>]
Sent: Thursday, August 04, 2011 6:08 AM
To: NT System Admin Issues
Subject: RE: SMB firewall (was RE: VLAN N00b)

Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell 
also calls it tagging). Now to decide on a firewall. I called my client last 
night and she was already onboard with my thinking "go ahead and buy it or send 
me a link and I'll order it".

I love clients that trust you enough that all you need to do is explain the 
concept and benefits and they're ready to pull the trigger, weird telling them 
"uh, I'm not ready to buy anything as I need to decide on the exact product..." 
:-).

It's also nice is knowing steering them to a managed switch 3 years ago is 
going to pay off with this little project.

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com<mailto:mailvor...@gmail.com>]
Sent: Thursday, August 04, 2011 5:34 AM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

On Wed, Aug 3, 2011 at 4:42 PM, David Lum 
mailto:david@nwea.org>> wrote:
> So ideally in your opinion the firewall would effectively give
> each VLAN (each VLAN defined by 802.1Q tags) it's own
> DHCP scope and thus their own IP settings, correct?

 More or less.

 I would separate your desired access groups into separate networks.

 Conceptually, start with the idea that you have each group on a
different physical switch, each with its own DHCP server, and its own

 So upgrade the concept to a firewall that understands 802.1Q VLAN
tags.  Only one cable from the switch to the firewall.  Each separate
VLAN gets associated with that single cable, and the switch and
firewall use 802.1Q VLAN tags to know which isolated network a given
frame is for.

 Only the switch port connected to the firewall emits or expects
frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
other switch ports are on a single VLAN ("untagged" in HP-speak), and
just act like separate switches for the nodes which aren't aware of
the other networks.

 Make sense?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Andrew S. Baker

The features I find that I use the most are:


   - Firewall / VPN
   - IPS
   - .
   - .
   - .
   - AV / Content Filtering


* *

*ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Thu, Aug 4, 2011 at 10:38 AM, David Lum  wrote:

> And now I need to choose a firewall. Holy crap there are a multitude of
> options, not the least of which are the various UTM (Unified Threat
> Management) options and reporting options.
>
> What kind of features do you guys find are key and are there any features
> you thought you'd use but really don't?
>
> Dave
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Sent: Thursday, August 04, 2011 6:08 AM
> To: NT System Admin Issues
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
> Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell
> also calls it tagging). Now to decide on a firewall. I called my client last
> night and she was already onboard with my thinking "go ahead and buy it or
> send me a link and I'll order it".
>
> I love clients that trust you enough that all you need to do is explain the
> concept and benefits and they're ready to pull the trigger, weird telling
> them "uh, I'm not ready to buy anything as I need to decide on the exact
> product..." :-).
>
> It's also nice is knowing steering them to a managed switch 3 years ago is
> going to pay off with this little project.
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, August 04, 2011 5:34 AM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
> On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> > So ideally in your opinion the firewall would effectively give
> > each VLAN (each VLAN defined by 802.1Q tags) it's own
> > DHCP scope and thus their own IP settings, correct?
>
>  More or less.
>
>  I would separate your desired access groups into separate networks.
>
>  Conceptually, start with the idea that you have each group on a
> different physical switch, each with its own DHCP server, and its own
>
>
> 
>
>  So upgrade the concept to a firewall that understands 802.1Q VLAN
> tags.  Only one cable from the switch to the firewall.  Each separate
> VLAN gets associated with that single cable, and the switch and
> firewall use 802.1Q VLAN tags to know which isolated network a given
> frame is for.
>
>  Only the switch port connected to the firewall emits or expects
> frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
> port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
> other switch ports are on a single VLAN ("untagged" in HP-speak), and
> just act like separate switches for the nodes which aren't aware of
> the other networks.
>
>  Make sense?
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Harry Singh

I believe the SSG's are now discontinued as Juniper moved away from ScreenOS
to their SRX platform which is, to my understanding, a combination of JUNOS
and some remnants of ScreenOS.

Either way Juniper and Fortinet boxes are rock solid in my experience.


On Thu, Aug 4, 2011 at 10:38 AM, David Lum  wrote:

> And now I need to choose a firewall. Holy crap there are a multitude of
> options, not the least of which are the various UTM (Unified Threat
> Management) options and reporting options.
>
> What kind of features do you guys find are key and are there any features
> you thought you'd use but really don't?
>
> Dave
>
> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Sent: Thursday, August 04, 2011 6:08 AM
> To: NT System Admin Issues
> Subject: RE: SMB firewall (was RE: VLAN N00b)
>
> Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell
> also calls it tagging). Now to decide on a firewall. I called my client last
> night and she was already onboard with my thinking "go ahead and buy it or
> send me a link and I'll order it".
>
> I love clients that trust you enough that all you need to do is explain the
> concept and benefits and they're ready to pull the trigger, weird telling
> them "uh, I'm not ready to buy anything as I need to decide on the exact
> product..." :-).
>
> It's also nice is knowing steering them to a managed switch 3 years ago is
> going to pay off with this little project.
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, August 04, 2011 5:34 AM
> To: NT System Admin Issues
> Subject: Re: SMB firewall (was RE: VLAN N00b)
>
> On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> > So ideally in your opinion the firewall would effectively give
> > each VLAN (each VLAN defined by 802.1Q tags) it's own
> > DHCP scope and thus their own IP settings, correct?
>
>  More or less.
>
>  I would separate your desired access groups into separate networks.
>
>  Conceptually, start with the idea that you have each group on a
> different physical switch, each with its own DHCP server, and its own
>
>
> 
>
>  So upgrade the concept to a firewall that understands 802.1Q VLAN
> tags.  Only one cable from the switch to the firewall.  Each separate
> VLAN gets associated with that single cable, and the switch and
> firewall use 802.1Q VLAN tags to know which isolated network a given
> frame is for.
>
>  Only the switch port connected to the firewall emits or expects
> frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
> port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
> other switch ports are on a single VLAN ("untagged" in HP-speak), and
> just act like separate switches for the nodes which aren't aware of
> the other networks.
>
>  Make sense?
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread David Lum

And now I need to choose a firewall. Holy crap there are a multitude of 
options, not the least of which are the various UTM (Unified Threat Management) 
options and reporting options.

What kind of features do you guys find are key and are there any features you 
thought you'd use but really don't?

Dave

-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Thursday, August 04, 2011 6:08 AM
To: NT System Admin Issues
Subject: RE: SMB firewall (was RE: VLAN N00b)

Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell 
also calls it tagging). Now to decide on a firewall. I called my client last 
night and she was already onboard with my thinking "go ahead and buy it or send 
me a link and I'll order it".

I love clients that trust you enough that all you need to do is explain the 
concept and benefits and they're ready to pull the trigger, weird telling them 
"uh, I'm not ready to buy anything as I need to decide on the exact product..." 
:-).

It's also nice is knowing steering them to a managed switch 3 years ago is 
going to pay off with this little project.

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, August 04, 2011 5:34 AM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> So ideally in your opinion the firewall would effectively give
> each VLAN (each VLAN defined by 802.1Q tags) it's own
> DHCP scope and thus their own IP settings, correct?

  More or less.

  I would separate your desired access groups into separate networks.

  Conceptually, start with the idea that you have each group on a
different physical switch, each with its own DHCP server, and its own

  So upgrade the concept to a firewall that understands 802.1Q VLAN
tags.  Only one cable from the switch to the firewall.  Each separate
VLAN gets associated with that single cable, and the switch and
firewall use 802.1Q VLAN tags to know which isolated network a given
frame is for.

  Only the switch port connected to the firewall emits or expects
frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
other switch ports are on a single VLAN ("untagged" in HP-speak), and
just act like separate switches for the nodes which aren't aware of
the other networks.

  Make sense?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread David Lum

Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell 
also calls it tagging). Now to decide on a firewall. I called my client last 
night and she was already onboard with my thinking "go ahead and buy it or send 
me a link and I'll order it".

I love clients that trust you enough that all you need to do is explain the 
concept and benefits and they're ready to pull the trigger, weird telling them 
"uh, I'm not ready to buy anything as I need to decide on the exact product..." 
:-).

It's also nice is knowing steering them to a managed switch 3 years ago is 
going to pay off with this little project.

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, August 04, 2011 5:34 AM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> So ideally in your opinion the firewall would effectively give
> each VLAN (each VLAN defined by 802.1Q tags) it's own
> DHCP scope and thus their own IP settings, correct?

  More or less.

  I would separate your desired access groups into separate networks.

  Conceptually, start with the idea that you have each group on a
different physical switch, each with its own DHCP server, and its own

  So upgrade the concept to a firewall that understands 802.1Q VLAN
tags.  Only one cable from the switch to the firewall.  Each separate
VLAN gets associated with that single cable, and the switch and
firewall use 802.1Q VLAN tags to know which isolated network a given
frame is for.

  Only the switch port connected to the firewall emits or expects
frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
other switch ports are on a single VLAN ("untagged" in HP-speak), and
just act like separate switches for the nodes which aren't aware of
the other networks.

  Make sense?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-04 Thread Ben Scott

On Wed, Aug 3, 2011 at 4:42 PM, David Lum  wrote:
> So ideally in your opinion the firewall would effectively give
> each VLAN (each VLAN defined by 802.1Q tags) it's own
> DHCP scope and thus their own IP settings, correct?

  More or less.

  I would separate your desired access groups into separate networks.

  Conceptually, start with the idea that you have each group on a
different physical switch, each with its own DHCP server, and its own
DHCP scope and subnet.  No connections between them.  Each of those
physically separate networks gets plugged into a different firewall.
Conceptually simple because no two networks share the same hardware.
Expensive and bulky, though.

  Now upgrade the concept to a firewall with multiple physical ports.
You only need one firewall.  Each physically separate switch plugs
into a different port on the firewall.  The firewall has a different
IP address on each port.  Firewall is smart enough to do access
control for each network separately.  So now you've still got multiple
switches, but a single firewall.

  Now upgrade the concept to a single switch that does VLANs.  You
configure each switch port on an appropriate VLAN.  No VLAN tags on
any frames on the wire; it's all internal to the switch.  No
connectivity between VLANs.  Same as above, just with one physical
switch rather than several.  Each isolated network gets a separate
cable to the firewall -- so you use multiple switch ports to connect
to the firewall.  Seems silly to have several cables running from the
same switch to the same firewall.

  So upgrade the concept to a firewall that understands 802.1Q VLAN
tags.  Only one cable from the switch to the firewall.  Each separate
VLAN gets associated with that single cable, and the switch and
firewall use 802.1Q VLAN tags to know which isolated network a given
frame is for.

  Only the switch port connected to the firewall emits or expects
frames with VLAN tags.  (I believe Cisco calls this a "VLAN trunk
port"; HP calls it "tagged"; I dunno what Dell calls it.)  All the
other switch ports are on a single VLAN ("untagged" in HP-speak), and
just act like separate switches for the nodes which aren't aware of
the other networks.

  Make sense?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: SMB firewall (was RE: VLAN N00b)

2011-08-03 Thread David Lum

As my original post said, I am open to suggestions as I am just digging into 
this stuff for the first time (I had to look up layer2 and layer 3 again today 
to refresh my memory based on John's "IP Helper" comment - I have heard of it 
before...).

So ideally in your opinion the firewall would effectively give each VLAN (each 
VLAN defined by 802.1Q tags) it's own DHCP scope and thus their own IP 
settings, correct?

In this case I use the PowerConnect to assign tags on various ports and the 
firewall will figure out which VLAN they need to go to, right?

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, August 03, 2011 1:21 PM
To: NT System Admin Issues
Subject: Re: SMB firewall (was RE: VLAN N00b)

On Wed, Aug 3, 2011 at 3:53 PM, David Lum  wrote:
> Use the Dell switch, have the firewall be promiscuous and VLAN off the
> various ports so they can only see the firewall as well as get DHCP from it.

  I would tend to prefer to keep IP traffic completely separated --
different DHCP scopes, different subnets, etc.  If the firewall
supports 802.1Q VLAN tags, you should be able to create a virtual
interface on the firewall for each VLAN, and treat them like different
physical ports.  In such a situation you can actually end up with a
firewall with only one physical network connection, using VLANs for
everything; this is sometimes called "router on a stick".

  Not saying what you propose wouldn't work, I just don't like the
whole layer two selective forwarding thing (that's what I have the
firewall for).  Maybe I'm just old fashioned.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-03 Thread Kurt Buff

On Wed, Aug 3, 2011 at 13:20, Ben Scott  wrote:
>
> On Wed, Aug 3, 2011 at 3:53 PM, David Lum  wrote:
> > Use the Dell switch, have the firewall be promiscuous and VLAN off the
> > various ports so they can only see the firewall as well as get DHCP from it.
>
>  I would tend to prefer to keep IP traffic completely separated --
> different DHCP scopes, different subnets, etc.  If the firewall
> supports 802.1Q VLAN tags, you should be able to create a virtual
> interface on the firewall for each VLAN, and treat them like different
> physical ports.  In such a situation you can actually end up with a
> firewall with only one physical network connection, using VLANs for
> everything; this is sometimes called "router on a stick".
>
>  Not saying what you propose wouldn't work, I just don't like the
> whole layer two selective forwarding thing (that's what I have the
> firewall for).  Maybe I'm just old fashioned.
>
> -- Ben

+1

There's a place for old-fashioned in this arena.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-03 Thread Andrew S. Baker

Also look at the Fortigate 50 series...

* *

*ASB* *http://about.me/Andrew.S.Baker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Wed, Aug 3, 2011 at 3:53 PM, David Lum  wrote:

> Nice, looks like the SSG5 fits the bill. Looks like Watchguard XTM2 lives
> in the same space.
>
> ** **
>
> Now that I think about it, in this same office are 4 different companies
> (most sized 2 employees) each with a Linksys doing much the same thing I’m
> trying to do with this WLAN. I’d bet the right firewall would allow me to
> eliminate all those Linksys devices right?
>
> ** **
>
> Use the Dell switch, have the firewall be promiscuous and VLAN off the
> various ports so they can only see the firewall as well as get DHCP from it.
> 
>
> ** **
>
> Amirite?
>
> ** **
>
> Dave
>
> ** **
>
> *From:* Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
> *Sent:* Wednesday, August 03, 2011 11:41 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
> ** **
>
> FWIW I think the Juniper SSG5's are perfect for most needs and they're dirt
> cheap too. 
>
> ** **
>
> They should do what you need if you do go down that route.
>
> ** **
>
> If not, assuming you can VLAN or zone off ports on the Sonicwall or do
> something to keep the Guest and LAN traffic separate, as other have said
> either chop in the AP or buy a dirt cheap router and connect it to the guest
> VLAN just to use its DHCP server functionality.
> --
>
> *From:* David Lum [david@nwea.org]
> *Sent:* 03 August 2011 6:58 PM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
> Their SonicWALL is old (SOHO3!) and I have - previous to this latest work -
> talked them into upgrading but I just haven’t done it (it’s one of my
> clients I can go 3 months w/out being onsite, and it just slipped through
> the cracks). This looks like a good time to revisit and add a new
> requirement to the firewall capabilities…
>
>  
>
> Dave
>
>  
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Sent:* Wednesday, August 03, 2011 10:36 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
>  
>
> Send it back and get one that does, or put something in the ‘new’ network
> that will do the dhcp for you. Will the Sonic do dhcp on just one interface
> perhaps?  I really think this direction is the cleanest and easiest to do.
> 
>
>  
>
> *From:* David Lum [mailto:david@nwea.org]
> *Sent:* Wednesday, August 03, 2011 1:21 PM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
>  
>
> I thought of that, but this AP doesn’t have the capability to be a DHCP
> server.
>
>  
>
> Dave
>
>  
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Sent:* Wednesday, August 03, 2011 9:57 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
>  
>
> Are only non-company assets going to use this AP? If yes read on, otherwise
> hit delete.
>
>  
>
> Since it is a small environment with only one AP, set the AP up as it’s own
> DHCP server….put it on it’s own physical and logical network and drop
> another port in the Sonic Firewall and just route them straight out to the
> internets….
>
> * *
>
>  
>
>  
>
> *From:* David Lum [mailto:david@nwea.org]
> *Sent:* Wednesday, August 03, 2011 10:27 AM
> *To:* NT System Admin Issues
> *Subject:* VLAN N00b
>
>  
>
> So…I bought a wireless AP and it looks like I get to delve into learning a
> little VLANing.
>
>  
>
> Environment:
>
> DNS,DHCP server (2003 SBS server, Domain controller)
>
> Second DC (2003 R2 Server)
> SonicWall Firewall
> Dell PowerConnect 3448
>
> 17 Domain PC’s
>
> HP M110 Wireless AP with non-domain PC’s using this to get to the Internet.
> 
>
>  
>
> Desired result for WLAN clients: 
>
> · Able to get to the Internet, but not be able to see any domain
> systems.  
>
> · DNS configured to non-domain server (SonicWall would be OK)
>
>  
>
> I can VLAN with the PowerConnect and make it so that AP can only get to the
> firewall, but my issue then is how will any clients get assigned an IP
> address. I can configure the Sonicwall to hand out IP’s but then I lose
> control of IP’s (reservations, etc) from the SBS system.
>
>  
>
> It looks like I should divorce DHCP from the SBS server and put it on the 2
> nd DC and allow the AP to see the one DC and the Sonicwall.
>
>  
>
> Here’s a document I found helpful:
>
> http://www.dell.com/downloads/global/products/pwcnt/en/howto_config_private_vlans.pdf
> 
>
>  
>
> From that, the SBS server and all domain PC’s would be in Community 10
>
> The AP would be in Community 11
> The firewall and 2nd DC (now doing DHCP) would be promiscuous. Is that too
> big of a risk? The HP110 can do RADIUS and I did install that capability on
> the 2nd DC but I don’t really know

Re: SMB firewall (was RE: VLAN N00b)

2011-08-03 Thread Ben Scott

On Wed, Aug 3, 2011 at 3:53 PM, David Lum  wrote:
> Use the Dell switch, have the firewall be promiscuous and VLAN off the
> various ports so they can only see the firewall as well as get DHCP from it.

  I would tend to prefer to keep IP traffic completely separated --
different DHCP scopes, different subnets, etc.  If the firewall
supports 802.1Q VLAN tags, you should be able to create a virtual
interface on the firewall for each VLAN, and treat them like different
physical ports.  In such a situation you can actually end up with a
firewall with only one physical network connection, using VLANs for
everything; this is sometimes called "router on a stick".

  Not saying what you propose wouldn't work, I just don't like the
whole layer two selective forwarding thing (that's what I have the
firewall for).  Maybe I'm just old fashioned.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: SMB firewall (was RE: VLAN N00b)

2011-08-03 Thread Kurt Buff

Don't know, but here's what I've got running.

We're using Cisco 1240AG WAPs, but I think the situation is analagous.

I made sure that our firewall's internal interface had two VLANs that didn't
talk with each other, but that each had access to the Internet - each VLAN
interface is a different numbered subnet, and the firewall has an IP address
for that subnet on it to be used as the default gateway by machines on the
subnet. On the guest VLAN I stuck a tiny freebsd box running a dhcp server,
and it hands out IP addresses, the DG and points the clients to 8.8.8.8 for
DNS.

I also instantiated the guest VLAN on the switch attached to the firewall,
and the HP PoE switch to which the WAPs are connected. Both switches are L2
only, so the firewall is acting as the L3 node to which each talks. The
switch attached to the firewall is tagged to the guest VLAN only on the port
connected to the firewall and the port that connects it to the PoE switch.

I then set up two separate SSIDs on separate VLANs on the WAPs. The HP PoE
switches are tagged (to use HP parlance) to both VLANs for each port to
which a WAP is connected, and to the port that connects it to the next
switch.

ASCII diagram looks like this:

|--||-| |--| |-|
|  |  A | |  B  | HP   |  C  | |
|  fw  || HP  |-| PoE  |-| WAP |
|  || | |  | | |
|--||-| |--| |-|
   |
   | D
   |
 |---|
 |   |
 |L3 |
 |   |
 |---|

Link A: Tagged in VLAN 1 (Production) and VLAN 2 (Guest)
Link B: Tagged in VLAN 1 and VLAN 2
Link C: Tagged in VLAN 1 and VLAN 2
Link D: Tagged in VLAN 1 only

The L3 switch is for the Production LAN only
The WAP has two SSIDs - Prod and Guest, which are assigned to VLANs 1 and 2
respectively. We actually have 15 WAPs spread through the building,
connected to 3 PoE switches, but just two VLANs for them

The HP switch connected to links A/B/C serves many more VLANs than just the
guest network - there's a whole set of Engineering and vendor/partner VLANs
to which the firewall controls access, but I've left them off for
simplicity.

The L3 switch is an HP 3400cl-48 (with 10 HP 2510-48 switches hanging from
it), the HP switch is a 2524, the HP PoE switch is a 2800-PWR and the WAP is
a Cisco 1240AG. Someday I hope to be able to consolidate the HP equipment
into two larger switches (our space is divided in two, and I run Cat5 cables
back to individual HP 2510-48s in the space away from the server room.)

HTH,

Kurt

On Wed, Aug 3, 2011 at 12:53, David Lum  wrote:

> Nice, looks like the SSG5 fits the bill. Looks like Watchguard XTM2 lives
> in the same space.
>
> ** **
>
> Now that I think about it, in this same office are 4 different companies
> (most sized 2 employees) each with a Linksys doing much the same thing I’m
> trying to do with this WLAN. I’d bet the right firewall would allow me to
> eliminate all those Linksys devices right?
>
> ** **
>
> Use the Dell switch, have the firewall be promiscuous and VLAN off the
> various ports so they can only see the firewall as well as get DHCP from it.
> 
>
> ** **
>
> Amirite?
>
> ** **
>
> Dave
>
> ** **
>
> *From:* Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
> *Sent:* Wednesday, August 03, 2011 11:41 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
> ** **
>
> FWIW I think the Juniper SSG5's are perfect for most needs and they're dirt
> cheap too. 
>
> ** **
>
> They should do what you need if you do go down that route.
>
> ** **
>
> If not, assuming you can VLAN or zone off ports on the Sonicwall or do
> something to keep the Guest and LAN traffic separate, as other have said
> either chop in the AP or buy a dirt cheap router and connect it to the guest
> VLAN just to use its DHCP server functionality.
> --
>
> *From:* David Lum [david@nwea.org]
> *Sent:* 03 August 2011 6:58 PM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
> Their SonicWALL is old (SOHO3!) and I have - previous to this latest work -
> talked them into upgrading but I just haven’t done it (it’s one of my
> clients I can go 3 months w/out being onsite, and it just slipped through
> the cracks). This looks like a good time to revisit and add a new
> requirement to the firewall capabilities…
>
>  
>
> Dave
>
>  
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Sent:* Wednesday, August 03, 2011 10:36 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b
>
>  
>
> Send it back and get one that does, or put something in the ‘new’ network
> that will do the dhcp for you. Will the Sonic do dhcp on just one interface
> perhaps?  I really think this direction is the cleanest and easiest to do.
> 
>
>  
>
> *From:* David Lum [mailto:david@nwea.org]
> *Sent:* Wedne

RE: SMB firewall (was RE: VLAN N00b)

2011-08-03 Thread Paul Hutchings

If you're looking at Watchguard just check that the management is "on-device".  
It was ages back and I might have got the wrong end of the stick but they 
seemed to depend on an admin console that had to be installed vs. a web gui, 
and things like URL filtering were dealt with via a database/service installed 
on a PC which the firewall talked to - it all seemed a bit "boxy".

As for the SSG5's, for a small box they have 8 (I think, not near it and we've 
never used them all) interfaces, pretty sure they're all independent.

So if you're doing a real simple outbound only setup you'd just setup zones for 
Customer1, Customer2 etc. and assign each zone an interface, enable a DHCP 
server on that interface if required, then create rules from "Customer 1 to 
Untrust" with NAT enabled.

Pretty sure they'll happily deal with VLAN's but I've not used them in 
conjunction with the SSG's.

All the documentation is on the Juniper website but as with most firewall 
vendors it's like 2000 pages so can be a bit heavy going.

Paul


From: David Lum [david@nwea.org]
Sent: 03 August 2011 8:53 PM
To: NT System Admin Issues
Subject: SMB firewall (was RE: VLAN N00b)

Nice, looks like the SSG5 fits the bill. Looks like Watchguard XTM2 lives in 
the same space.

Now that I think about it, in this same office are 4 different companies (most 
sized 2 employees) each with a Linksys doing much the same thing I’m trying to 
do with this WLAN. I’d bet the right firewall would allow me to eliminate all 
those Linksys devices right?

Use the Dell switch, have the firewall be promiscuous and VLAN off the various 
ports so they can only see the firewall as well as get DHCP from it.

Amirite?

Dave

From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Wednesday, August 03, 2011 11:41 AM
To: NT System Admin Issues
Subject: RE: VLAN N00b

FWIW I think the Juniper SSG5's are perfect for most needs and they're dirt 
cheap too.

They should do what you need if you do go down that route.

If not, assuming you can VLAN or zone off ports on the Sonicwall or do 
something to keep the Guest and LAN traffic separate, as other have said either 
chop in the AP or buy a dirt cheap router and connect it to the guest VLAN just 
to use its DHCP server functionality.

From: David Lum [david@nwea.org]
Sent: 03 August 2011 6:58 PM
To: NT System Admin Issues
Subject: RE: VLAN N00b
Their SonicWALL is old (SOHO3!) and I have - previous to this latest work - 
talked them into upgrading but I just haven’t done it (it’s one of my clients I 
can go 3 months w/out being onsite, and it just slipped through the cracks). 
This looks like a good time to revisit and add a new requirement to the 
firewall capabilities…

Dave

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 03, 2011 10:36 AM
To: NT System Admin Issues
Subject: RE: VLAN N00b

Send it back and get one that does, or put something in the ‘new’ network that 
will do the dhcp for you. Will the Sonic do dhcp on just one interface perhaps? 
 I really think this direction is the cleanest and easiest to do.

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, August 03, 2011 1:21 PM
To: NT System Admin Issues
Subject: RE: VLAN N00b

I thought of that, but this AP doesn’t have the capability to be a DHCP server.

Dave

From: Kennedy, Jim 
[mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, August 03, 2011 9:57 AM
To: NT System Admin Issues
Subject: RE: VLAN N00b

Are only non-company assets going to use this AP? If yes read on, otherwise hit 
delete.

Since it is a small environment with only one AP, set the AP up as it’s own 
DHCP server….put it on it’s own physical and logical network and drop another 
port in the Sonic Firewall and just route them straight out to the internets….



From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, August 03, 2011 10:27 AM
To: NT System Admin Issues
Subject: VLAN N00b

So…I bought a wireless AP and it looks like I get to delve into learning a 
little VLANing.

Environment:
DNS,DHCP server (2003 SBS server, Domain controller)
Second DC (2003 R2 Server)
SonicWall Firewall
Dell PowerConnect 3448
17 Domain PC’s
HP M110 Wireless AP with non-domain PC’s using this to get to the Internet.

Desired result for WLAN clients:

• Able to get to the Internet, but not be able to see any domain 
systems.

• DNS configured to non-domain server (SonicWall would be OK)

I can VLAN with the PowerConnect and make it so that AP can only get to the 
firewall, but my issue then is how will any clients get assigned an IP address. 
I can configure the Sonicwall to hand out IP’s but then I lose control of IP’s 
(reservations, etc) from the SBS system.

It looks like I should divorce DHCP from the SBS server and put it on the 2nd 
DC and allow the AP to see the one DC and th

RE: SMB firewall (was RE: VLAN N00b)

RE: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

RE: SMB firewall (was RE: VLAN N00b)

RE: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

RE: SMB firewall (was RE: VLAN N00b)

RE: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

RE: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

Re: SMB firewall (was RE: VLAN N00b)

RE: SMB firewall (was RE: VLAN N00b)

18 matches

Site Navigation

Mail list logo

Footer information