Listen to the podcast “What you need to do to be employable” to get the most value out of the best practice recommendations and resources outlined below. You cannot secure what you cannot engineer, implement, maintain, and support. Security was always infused into IT if you did IT correctly. I have been doing IT since 1993 and was programming in third grade. Security was ALWAYS part of a proper strategy.

I am always trying to add to the team. But I find that a lot of people are just wholly unqualified to do baseline prerequisites. They get misled and sold on the idea of getting a degree in IT/IS/Cybersecurity. Unless you have mastered the items on this list, it will not matter what degree you have.

The following items are separated into priority order and resource recommendations.

Home lab equipment acquisition priority recommendation

  1. NAS
  2. Domain/DNS/Office 365 tenant
  3. Network layer security appliance
  4. Layer 3 switch
  5. PowerEdge server

Must Have Skills

NAS

A TFTP server is mandatory for working with non-cloud switching equipment for configuration backups, restores, firmware upgrades. Running TFTP on Windows or Linux desktop OS is very problematic. A Synology NAS has TFTP capabilities as well as a ton of other features. The NAS has ActiveBackup, HyperBackup and that could be used to back up the VMs in your lab and your Office 365 tenant. There is Active Backup for M365, which is included and a great experience to setup. A Synology NAS also can be configured for SSH access to the Linux OS which can be used for all kinds of fun things like cron jobs, rsync tasks, and learning how to setup certificate-based authentication for FTP connections where no username and password are allowed for the authentication method.

BCDR skills are mandatory.

I see no better way to learn BCDR other than by doing it. Do not shortcut the size of the hard drives you put in the NAS. It is not worth it. You need lots of space to be able to fully utilize the NAS as your learning zone. Look at the price differences between hard drives. Do not get a smaller hard drive when a larger one would have cost $20 more.

Minimum NAS is DS218. The newer DS220+ is even better. If you want to use features like ActiveBackup, be sure to select a model that supports that package. A bit higher budget would result more flexible options such as a 6-bay NAS with higher capabilities. This allows the owner to leverage Synology Hybrid RAID and mix and match hard drives. A 6 bay unit could be used to create three RAID 1 arrays of different sizes if all the owner had was drives of different sizes.

I suggest Seagate IronWolf Pro drives. A NAS must use NAS‑rated hard drives. I suggest getting two of the 8 TB or larger hard drives as that will give you plenty of space to play with and they are quite affordable. Western Digital also has WDRedPro drives which are also good. Verify NAS supported compatibility by the hard drive selector tool on Synology’s website.

Domain/DNS

You must understand domain and DNS hosting and DNS records especially for all services hosted through Office 365. Be sure to use a DNS hosting service which supports advanced record types like URL hopping and SRV records. Learn DNS CAA records and what they are for. Read up on DNSSEC.

Some domain and DNS hosting providers also offer inexpensive website hosting. It is very instructive to spend $100/yr on this kind of website hosting where Joomla or WordPress could be used with Let’s Encrypt, modules, extensions, and WAF.

Wireless learning

Good wireless design says that if you do more than 4 SSIDs on a single AP, you are going to have problems. Frankly, anything more than 2 is undesirable.

There are wireless design reasons for this which I will not write a book about here. There are plenty of “wireless for dummies” resources available.

For security and management reasons, you need to have guests, separate from Chromebooks, separate from trusted wireless Windows laptops, etc.

So right there we are already at three SSIDs. Then you want to have different join policies for each. A guest network only works with a captive portal or you give everyone the PSK. More advanced wireless technologies can use PPSK or private pre-shared key for SSID association after a person uses the captive portal and signs up to get their own PPSK.

Chromebooks work best when they use certificate-based authentication to wireless. Chromebooks are cheap and you can get your own Chrome OS management tenant for $50/yr and setup certificate based wireless device authentication.

Windows laptops are most secure with RADIUS which is certificate-based authentication. You do not have to have premise Active Directory to have RADIUS, so do not get sucked into that misunderstanding. There is Azure AD and other resources such as WatchGuard Fireboxes with WatchGuard Cloud which can be a much more cost effective and easy to use/manage MFA-enabled RADIUS server.

PSK is considered insecure and problematic for a lot of reasons.

I go for configs which do not push more than two SSIDs through a WAP. So that is 3 VLANs if you are doing static VLAN to SSID mapping. Only two of those are SSID related VLANs. The third is the WAP Management VLAN. Anything more simply results in bad wireless design.

It is preferable to have a single SSID that devices join and get automatically redirected based upon policy and captive portal with dynamic VLAN assignment. Captive portal VLAN would be addition of another VLAN, and you would need very special security zone profile rules for that.

If you are doing dynamic VLAN assignment, you can push the required VLANs through to the AP, but you would never push management, OOBM, Tier0, Server, Printer, or similar VLANs through to an AP.

I would never do trunk all. There are many security issues with that.

So doing more than 3 wireless related VLANs only makes sense if you are using dynamic VLAN assignment. You can only do that if you have captive portal and the policies to support that. And you can only cost effectively do that with an enterprise grade cloud controller. A premise controller can be >$15,000 whereas the cloud controller comes with the subscription for the WAP.

Office 365 / Microsoft 365

You should run your own tenant and learn how to use this technology if you want to be employable. You can literally get your own tenant with a single business premium license for less than $300/yr. Using a Synology NAS with the proper model will allow for Active Backup for M365 to be used.

On cloud controllers for wireless

I really like wireless cloud controllers because you can economically get super high-grade functionality on even a single AP. If you were to try to do captive portal, WIPS, dynamic VLAN assignment on a local controller scenario, you are looking at a floor of about $30,000 hardware, licensing, implementation.

That is not a SMB price. Even a lot of hospitals and school districts will choke on that price tag. But that level of functionality is available with the proper cloud controller in a single premise AP.

Cloud controllers have better, more accessible diagnostics and less stuff to maintain. And when implemented properly with a proper technology selection, they can be just as secure as premise controllers.

Role based access control with a cloud controller and enforced MFA for PAM is easier. Trying to do that with a local controller is very difficult. High security, high functionality WAPs are not inexpensive.

The MSRP on a WatchGuard AP325 with Total Wi-Fi for 3 years is $900. That would probably turn into the $780 range to purchase from a partner. And you would want a mounting wall plate for it. That is $20. Total Wi-Fi is the only thing I use in my environments. The AP325 is tied to the Arista Cloud, and the WIPS is excellent. Another advantage to the cloud controller is the ability to set up templates and then deploy them to different tenants. For example, I can engineer a master template for all clients, and then can display that template into a subtenant which makes onboarding faster. I can control settings higher up or let them be managed at the subtenant or even per group basis in a tenant.

So, if you had two buildings where you wanted different settings used, you can easily do that in cloud controller same tenant, different groups. Or you can use the same settings for two different buildings. That way as your user base moves from one building to the other, they have a seamless experience. If you were to try to do that with a local controller, that is a lot harder. For smaller environments, we might use WatchGuard's Wi-Fi 6 technology. But for campus-type requirements, we would use Extreme WAPs with Extreme Cloud IQ as the cloud controller. The best option there is the integrated visibility with Pilot and Copilot licenses for the WAPs and switches. Pilot licenses allow for baseline WIPS.

Networking

  • Network layer security appliances
    • I recommend WatchGuard Fireboxes where you use the Firebox as the core router. It must have a full Total Security Suite active subscription with fully updated Fireware or you will not be able to learn.
    • LAG a trunk between the Firebox and the switch
    • Must use a unit with an active subscription
  • Layer 3 network switches
    • Must be able to LAG and VLAN at a minimum
    • Must be able to control tagged, untagged, and modify VLAN tagging on a LAG without breaking the LAG.
    • Recommend Extreme EXOS X440 G2 PoE switches. 12p, 24p, etc. But you must get modern firmware on the switch. Do not get a non-G2 switch as they are too old to be useful for learning. The OS is too old.
    • These can be procured online via eBay and other sources. These switches are end of sale, but not EOL.
  • Enterprise grade wireless access point
    • At least two wireless SSIDs on different VLANs, supply chain risk management configuration on the management interface. Different security zone profiles between SSIDs.
    • Depending on the WAP model, it may be possible to use an older WAP that has no cloud controller. It may be configurable as the local controller. A cloud controller is also acceptable if you do supply chain risk management network configuration.
    • Ideally, you would also get a WAP that has a cloud controller that supports captive portal and dynamic VLAN assignment.

On switches

People complain about the cost of real switching equipment. Even many people in the IT industry seem to like Meraki and Ubiquiti. I avoid those completely. I am interested in the total cost of ownership. The hardware expense at acquisition is not a big deal. What really matters is that you do not have preventable limitations and your TCO is low comparably. Anything that wastes my time is very expensive. Anything that is not fast, reliable, and efficient to use, program, upgrade, troubleshoot, and maintain is expensive or a security risk.

Network infrastructure must be rock solid. Some next business day warranty or lack of a GTAC contract on critical infrastructure is a non-starter. A 4-hour response time warranty and quality GTAC support is mandatory. The only time I need to call for support is when something ugly is happening, and I want high quality support to call and hardware with excellent diagnostics and visibility into what is going on.

This directly translates to value, lowered time to problem resolution, and lower cost to the client.

I recently heard from someone who was complaining about the price of a X440G2-12P-GE4 switch on eBay. It was $800. That is way below partner cost for a new switch. Of course, that does NOT include warranty, service contract, support, or access to firmware. But it is a high-quality switch. An alternative Netgear switch with only 10 ports with about half the functionality was $700. So, I do not see the contest here. Pay $100 more for something that is smoking good compared to something that you know you are going to find limitations in. And I am not aware of a 4-hour response time warranty contract being available for the Netgear. I know it does not have the same kind of high end GTAC support that Extreme has, nor does it have the same kind of switch capabilities. So, is my time differential over the life span of the switch worth more than $100? Obviously yes.

The biggest and most expensive errors I have seen people make in IT over the last 29 years is in procurement. They procure the wrong things. They have no procurement policy and highly likely no standards. Usually no strategy. Instead, IT just buys whatever IT thinks is cheapest at that time.

If you are a CFO, be aware that your IT director may be bringing you things that have a high TCO only because they are selecting things that look cheap in terms of acquisition cost. This is quite common as a lot of IT directors in the SMB space have no enterprise experience and lack the ability to articulate the value proposition for something that looks more expensive at acquisition time, but has a lower TCO.

The best way to protect yourself against these problems is to have an outsourced CISO like QPC Security who can work with your team to design standards and who should be part of the procurement approval process BEFORE purchases are made. The single most effective thing you can do to control costs is to have a procurement policy.

Virtualized switches and net sec appliances do not work for learning. You need to be able to plug something directly into a port and really experience what happens. You just cannot emulate what happens when you plug in a surveillance camera, desk phone, printer, etc. with virtualized switches.

Setup OOBM VLANs. Lock it down. Hardcore microsegmentation with isolation, and hardcore packet inspection. Massive supply chain risk management strategies at the network layer. Challenge yourself to always make it more locked down.

If you want to learn networking, I do not suggest Cisco's training material at all. HP Flex Net training is quite good in terms of teaching you the fundamentals that you need to know. Then from a network security model, you need to learn and master network layer security appliances. I can only recommend WatchGuard and Fortinet. Everything else has problems which I will not waste time here on why. Network+ certification is useful, but I have seen people that can pass that certification while clearly lacking a fundamental understanding of networking. This is why I recommend the HP FlexNet training over Network+.

Servers

Dell PowerEdge servers can be purchased from Dell Outlet very inexpensively. Get something you can run at least the hypervisor and a couple VMs on. It must have at least iDrac Enterprise.

Deep knowledge of HyperV, managing VMs, hypervisors, and sophisticated patching is mandatory. I am continually disappointed by job candidates that claim that they know how to do patching and vulnerability management for VMs and HyperV when they clearly do not. If you do not have experience doing that, get experience. Get the ordering of events properly. Learn what a complete vulnerability management plan for those assets would consist of. Having correct answers to these questions is level 1 mandatory knowledge.

Get educated and get hands on experience. https://qpcsecurity.podbean.com/category/vulnerability-management

Learning server hardware notes

Tower style PowerEdge is cheaper than rack mount. We nearly always buy a rack mount so that it can be installed in a rack as that takes up less space and is easier to service.

You should assume 4 processor cores per server instance. So, if you do two VMs and a HyperV host, that is 3 x 4 cores, you will at least need a 12-core single processor server.

RAM, assume at least 8 GB per and RAM cannot be over allocated. RAM must also be purchased in increments that work in that hardware. So 8x3 = 24 GB at least, I would round to 64GB.

I would want to go with 2x 2 TB hard drives on a PERC in RAID1 at a minimum. Each C: drive (host and VMs) will be 200 GB. Then on the Host you need space on D: for the VMs, their cold copies, and other things like file services. Price diff between 1 TB hard drives and 2 TB hard drives is so minimal, that I would not limit it to 1 TB. I put 1 TB hard drives in all laptops now and my team has 2 TB hard drives in laptops typically. iDrac Enterprise is mandatory.

Learn privileged access management / Privileged admin workstations

Learning PowerShell

Excellent article on supply chain risk and SBOM risk

Extreme Networks switching welcome series

Additional Resources