Product Recommendations

I am not paid by any of these manufacturers.

Firewall;

Paid: Fortinet; industry leader. uses ASICs to offload tasks while still being energy efficient and inexpensive.

Free: PfSense/OpnSense; based on BSD. Free failover / backup firewall. Installs on Intel based hardware so re-use and old desktop or buy a NetGate appliance.

Switching;

Use managed switches exclusively. The price difference between managed and unmanaged is negligible. You have no way to test when an unmanaged device is down. Unmanaged devices don’t support VLANs; they will pass the VLAN header in packets but ALL ports will be on the untagged VLAN of the upstream interface.

HP/Aruba older HP ProCurve gear is garbage. 3800 finally has Aruba firmware. New 1800 series should all have Aruba firmware, which is good. 1900 is likely still HP crap. (crap=able to accidentally create illegal configurations with 2 untagged vlans on a single interface)

Arista A single image to rule them all. Super low latency. now with PoE. Excellent gear but you pay for it. Company founded by a bunch of ex-Cisco brains.

Cisco the defacto standard. Expense but it works. Used Cisco gear can be re-certified. Assume no user friendly web interface. Its easy to find someone with Cisco experience.

Ubiquiti management via software mgr makes this very user friendly and Cloud configurable. Integrates seamlessly with Wifi. Inexpensive small business/home office gear. Their high-end gear is just as expensive as the big players.

Wireless

FortiWifi makes sense when you already have a Fortinet firewall as the wireless controller is built into the firewall. This is nice for SOHO or Satellite offices as you can manage multiple AP’s from 1 console and it makes it easy to create a separate guest network.

Ubiquiti makes decent hardware, with no licensing fees. The Ubiquiti controller is windows software or CloudKey device, for central management and pretty dashboards. It is possible to assign an SSID to a VLAN. If you don’t have Ubiquity switches you will need to manually block guest networks from accessing corporate networks from GuestWifi. Ubiquiti has made it easy to ship hardware to a remote office, walk a non-technical person through plugging in some cables and manage the device remotely.

Monitoring;

PRTG; installs on windows, can Probe and recommend what to monitor. free for first 100 devices/services. Recommended.

SolarWinds; easily becomes a mess of un-actionable alerts. expensive.

NEMS / Nagios / anything Linux; free but takes time to understand ,setup & manage. Nothing is user friendly.

Updates;

WSUS solves 1 problem and causes 3.

Just upgrade to Windows 10 and set everything to auto update. Deal with the fallout.

Auditing

AlienVault; Network inventory, patch management. OpenVAS included

MBSA; Microsoft Baseline Security Analyser. Free and a good place to start.

OpenVAS; Free. Linux or Docker based. Fork of the last free version of Nessus. Lets you scan your servers and reports a nice list of problems with links to patches. Worth the time investment. I’ll do a separate article on this.

Thycotic weak password finder. easy to install on windows and fast to produce actionable results. and its free. must have.

AntiVirus

Microsoft Security Essentials free. tightly integrated with the OS. Soon will be “sandboxed” AV must have the highest security credentials to do its job. If an attacker ever finds a flaw in AV they will have complete control of the system. Microsoft has mitigated this by minimizing the authority MSE has. Highly recommended. Arguably the only security you need.

MalwareBytes; It works fine and isn’t made by a Russian company. (Kaspersky)

HitManPro; Portable, no install required. Marketed as a Second Opinion malware scanner. No reason why not to add this to your toolkit. Internet required.

Backup:

Free: Duplicati2 best feature is it’s convenience; it creates a webpage so an administrator can change or check a workstation backup without interrupting the user. Supports backup to a number of Cloud services for road warriors with laptops. Supports high encryption to keep your data safe. Recommendation; find somewhere to store an OFFLINE backup so Ransomware can’t encrypt it.

Microsoft Backup; free included

Shared Storage:

Synology; lots of cool applets allow backing up to cloud etc. Cloud manageable.

NextCloud; self hosted NAS

OpenMediaVault; nice Gui, plug-ins