Listen to the podcast or the list of these resources may not make sense to you. You cannot secure what you cannot engineer, implement, maintain, and support. Security was always infused into IT if you did IT correctly. I know. I've been doing IT since 1993 and was programming in third grade. Security was ALWAYS part of a proper strategy.
I'm always trying to add to the team. But I find that a lot of people are just wholly unqualified to do baseline prerequisites. They get misled and sold on the idea of getting a degree in IT/IS/Cybersecurity. Unless you have mastered the items on this list, it won't matter what degree you have.
Here are some other helpful articles.
- Network layer security appliances
- I recommend WatchGuard Fireboxes where you use the Firebox as the core router. It must have a full Total Security Suite active subscription with fully updated Fireware or you won’t be able to learn.
- LAG a trunk between the Firebox and the switch
- Must use a unit with an active subscription
- Layer 3 network switches
- Must be able to LAG and VLAN at a minimum
- Recommend Extreme EXOS X440 G2 PoE switches. 12p, 24p, etc. But you must get modern firmware on the switch.
These can be procured online used via eBay and other sources.
- Enterprise grade wireless access point
- At least two wireless SSIDs on different VLANs, supply chain risk management configuration on the management interface
- Depending on the WAP model, it may be possible to use an older WAP that has no cloud controller. It may be configurable as the local controller. Cloud controller is acceptable also as long as you do supply chain risk management network configuration.
Virtualized switches and net sec appliances don’t work for learning.
Setup OOBM VLANs.
Lock it down. Hardcore microsegmentation, hardcore packet inspection. Massive supply chain risk management strategies at the network layer. Challenge yourself to always make it more locked down.
If you want to learn networking, I do not suggest Cisco's training material at all. HP Flex Net training is quite good in terms of teaching you the fundamentals that you need to know. Then from a network security model, you need to learn and master network layer security appliances. I can only recommend WatchGuard and Fortinet. Everything else has problems which I won't waste time here on why.
Dell PowerEdge servers can be purchased from outlet.dell.com very inexpensively. Get something you can run at least the hypervisor and a couple VMs on. Must have at least iDrac Enterprise.
Knowledge of HyperV, managing VMs, hypervisors, and sophisticated patching is mandatory.
Office 365 / Microsoft 365
You should run your own tenant and learn how to use this technology if you want to be employable.
You must understand domain and DNS hosting and DNS records especially for all services hosted through Office 365.
TFTP server is mandatory for working with switching equipment for configuration backups, restores, firmware upgrades. Running TFTP on Windows or Linux desktop OS are very problematic. A Synology NAS has TFTP capabilities as well as a ton of other features. The NAS has ActiveBackup, HyperBackup and that could be used to back up the VMs in your lab and your Office 365 tenant.
BCDR skills are mandatory.
I see no better way to learn BCDR other than by doing it. Do not shortcut the size of the hard drives you put in the NAS. It's not worth it. You need lots of space to be able to fully utilize the NAS as your learning zone.
Minimum NAS is DS218. https://www.synology.com/en-us/products/DS218
Suggest Seagate IronWolf Pro drives. Must use NAS rated hard drives. I suggest getting two of the 8 TB hard drives as that will give you plenty of space to play with and they are quite affordable.
- Domain/DNS/Office 365 tenant
- Network layer security appliance
- Layer 3 switch
- PowerEdge server
You must learn Tiered access control. MUST. And you must know how to implement it.
Learn privileged access management
Privileged admin workstations
BHIS webinars and training
KnowBe4 excellent webinars and ebooks
Excellent article on supply chain risk and SBOM risk
Learning server hardware notes:
Tower style PowerEdge is cheaper than rack mount. We nearly always buy rack mount so that it can be installed in a rack as that takes up less space and is easier to service.
You should assume 4 processor core per server instance. So if you do two VMs and a HyperV host, that is 3 x 4 cores, so you would at least need a 12 core single processor server.
RAM, assume at least 8 GB per and RAM cannot be over allocated.
RAM must also be purchased in increments that work in that hardware. So 8x3 = 24 GB at least, I would round to 64GB.
I would want to go with 2x 2 TB hard drives on a PERC in RAID1 at a minimum.
Each C: drive (host and VMs) will be 200 GB.
Then on the Host you need space on D: for the VMs, their cold copies, and other things like file services.
Price diff between 1 TB hard drives and 2 TB hard drives is so minimal, that I would not limit it to 1 TB.
I put 1 TB hard drives in all laptops now and my team has 2 TB hard drives in laptops typically.
Then iDrac Enterprise.
Good wireless design says that if you do more than 4 SSIDs on a single AP, you are going to have problems. Frankly anything more than 2 is undesirable.
There are wireless design reasons for this which I won’t write a book about here. There are plenty of wireless for dummies resources available.
For security and management reasons, you need to have guest separate from chromebooks separate from trusted wireless Windows laptops, etc.
So right there we are already at three SSID. Then you want to have different join policies for each. A guest network only works with captive portal or you give everyone the PSK.
Chromebooks work best when they use certificate-based authentication to wireless.
Windows laptops are most secure with RADIUS which is again certificate based authentication. You don’t have to have premise Active Directory to have RADIUS, so don’t get sucked into that misunderstanding. We now have Azure AD and other resources such as WatchGuard Fireboxes with WatchGuard Cloud which can be a much more cost effective and easy to use/manage MFA-enabled RADIUS server.
PSK is considered insecure and problematic for a lot of reasons, which again, not going to write a book about here.
I go for configs which do not push more than two SSIDs through a WAP. So that is 3 VLANs if you are doing static VLAN to SSID mapping. Only two of those are SSID related VLANs. The third is the WAP Management VLAN. Anything more simply results in bad wireless design.
It is preferable to have a single SSID that devices join and get automatically redirected based upon policy and captive portal with dynamic VLAN assignment. Captive portal VLAN would be addition of another VLAN and you would need very special security zone profile rules for that.
If you are doing dynamic VLAN assignment, you can push the required VLANs through to the AP, but you would never push management, OOBM, Tier0, Server, Printer, or similar VLANs through to an AP.
I would never do trunk all. Many security issues with that.
So doing more than 3 VLANs only makes sense if you are using dynamic VLAN assignment. You can only do that if you have captive portal and the policies to support that. And you can only cost effectively do that with an enterprise grade cloud controller.
People complain about the cost of real switching equipment. Even many people in the IT industry seem to like Meraki and Ubiquiti. I avoid those completely. I am interested in total cost of ownership. The hardware expense at acquisition is not a big deal. What really matters is that you don't have preventable limitations and your TCO is low comparably. Anything that wastes my time is very expensive. Anything that is not fast, reliable, and efficient to use, program, upgrade, troubleshoot, and maintain is expensive or a security risk.
Network infrastructure must be rock solid. Some next business day warranty or lack of a GTAC contract on critical infrastructure is a non-starter. 4 hour response time warranty and quality GTAC support is mandatory. The only time I need to call for support is when something ugly is happening, and I want high quality support to call and hardware with excellent diagnostics and visibility into what is going on.
This directly translates to value, lowered time to problem resolution, and lower cost to the client.
I recently heard from someone who was complaining about the price of a X440G2-12P-GE4 switch on eBay. It was $800. That is way below partner cost for a new switch by the way. Of course that does NOT include warranty, service contract, support, or access to firmware. But it is a high quality switch. An alternative Netgear switch with only 10 ports with about half the functionality was $700. So I don't see the contest here. Pay $100 more for something that is smoking good compared to something that you know you are going to find limitations in. And I don't believe a 4-hour response time warranty contract is available for the Netgear. I know it does not have the same kind of high end GTAC support that Extreme has, nor does it have the same kind of switch capabilities. So is my time differential over the life span of the switch worth more than $100? Obviously yes.
The biggest and most expensive errors I have seen people make in IT over the last 29 years is in procurement. They procure the wrong things. They have no procurement policy and likely no standards. Usually no strategy. Instead, IT just buys whatever IT thinks is cheapest at that time.
If you are a CFO, be aware that your IT director may be bringing you things that have a high TCO only because they are selecting things that look cheap in terms of acquisition cost. This is quite common as a lot of IT directors in the SMB space have no enterprise experience and lack the ability to articulate the value proposition for something that looks more expensive at acquisition time, but has a lower TCO.
The best way to protect yourself against these problems is to have a outsourced CISO like QPC Security who can work with your team to design standards and who should be part of the procurement approval process BEFORE purchases are made. The single most effective thing you can do to control costs is to have a procurement policy.
On cloud controllers for wireless
I really like wireless cloud controller because you can economically get super high grade functionality on even a single AP.
If you were to try to do captive portal, WIPS, dynamic VLAN assignment on a local controller scenario, you are looking at a floor of about $30,000 hardware, licensing, implementation.
That is not a SMB price. A lot of hospitals will choke at that price tag, and school districts. So it does not get done. But I can get that level of functionality with cloud controller in a single premise AP.
Cloud controllers have better, more accessible diagnostics. Less stuff to maintain. And when implemented properly with a proper technology selection, they can be just as secure as premise controllers.
Role based access control with a cloud controller and enforced MFA for PAM is easier. Trying to do that with a local controller is very difficult. High security, high functionality WAPs are not inexpensive.
The MSRP on a WatchGuard AP325 with total wifi for 3 years is $900. That would probably turn into the $780 range to purchase from a partner. And you would want a wall plate for it also for mounting. That is $15. Total Wifi is the only thing I use in my environments. The AP325 is tied to the Arista Cloud , and the WIPS is excellent.
Another advantage to the cloud controller is the ability to setup templates and then deploy them to different tenants.
For example, I can engineer a master template for all clients, and then can display that template into a subtenant which makes onboarding faster.
I can control settings higher up, or let them be managed at the subtenant or even per group basis in a tenant.
So if you had two buildings where you wanted different settings used, you can easily do that in cloud controller same tenant, different groups.
Or you can use same settings two different buildings. That way as your user base moves from one building to the other, they have a seamless experience.
If you were to try to do that with a local controller, that’s a lot harder.
I do not like WatchGuard's wifi 6 technology and won't use it. We are switching to Extreme Cloud IQ wifi.
Hard drive technology - important things to know
Messer has a lot of free Youtube video training