Listen to the podcast “What you need to do to be employable” to get the most value out of the best practice recommendations and resources outlined below. You cannot secure what you cannot engineer, implement, maintain, and support. Security was always infused into IT if you did IT correctly. I have been doing IT since 1993 and was programming in third grade. Security was ALWAYS part of a proper strategy.

I am always trying to add to the team. But I find that a lot of people are just wholly unqualified to do baseline prerequisites. They get misled and sold on the idea of getting a degree in IT/IS/Cybersecurity. Unless you have mastered the items on this list, it will not matter what degree you have.

Networking

  • Network layer security appliances
    • I recommend WatchGuard Fireboxes where you use the Firebox as the core router. It must have a full Total Security Suite active subscription with fully updated Fireware or you will not be able to learn.
    • LAG a trunk between the Firebox and the switch
    • Must use a unit with an active subscription
  • Layer 3 network switches
    • Must be able to LAG and VLAN at a minimum
    • Must be able to control tagged, untagged, and modify VLAN tagging on a LAG without breaking the LAG.
    • Recommend Extreme EXOS X440 G2 PoE switches. 12p, 24p, etc. But you must get modern firmware on the switch. Don’t get a non-G2 switch as they are too old to be useful for learning. The OS is too old.
    • These can be procured online (new/used) via eBay and other sources. These switches are EOS, but not EOL. They are solid and available.
  • Enterprise grade wireless access point
    • At least two wireless SSIDs on different VLANs, supply chain risk management configuration on the management interface. Different security zone profiles between SSIDs.
    • Depending on the WAP model, it may be possible to use an older WAP that has no cloud controller. It may be configurable as the local controller. A cloud controller is also acceptable if you do supply chain risk management network configuration.
    • Ideally, you would also get a WAP that has a cloud controller that supports captive portal and dynamic VLAN assignment.

Virtualized switches and net sec appliances do not work for learning. You need to be able to plug something directly into a port and really experience what happens. You just cannot emulate what happens when you plug in a surveillance camera, desk phone, printer, etc. with virtualized switches.

Setup OOBM VLANs.

Lock it down. Hardcore micro-segmentation, hardcore packet inspection. Massive supply chain risk management strategies at the network layer. Challenge yourself to always make it more locked down.

If you want to learn networking, I do not suggest Cisco's training material at all. HP Flex Net training is quite good in terms of teaching you the fundamentals that you need to know. Then from a network security model, you need to learn and master network layer security appliances. I can only recommend WatchGuard and Fortinet. Everything else has problems which I will not waste time here on why.

Servers

Dell PowerEdge servers can be purchased from Dell Outlet very inexpensively. Get something you can run at least the hypervisor and a couple VMs on. It must have at least iDrac Enterprise.

A knowledge of HyperV, managing VMs, hypervisors, and sophisticated patching is mandatory.

Office 365 / Microsoft 365

You should run your own tenant and learn how to use this technology if you want to be employable. You can literally get your own tenant with a single business premium license for less than $300/yr.

Domain/DNS

You must understand domain and DNS hosting and DNS records especially for all services hosted through Office 365. Be sure to use a DNS hosting service which supports advanced record types like URL hopping and SRV records.

NAS

A TFTP server is mandatory for working with non-cloud switching equipment for configuration backups, restores, firmware upgrades. Running TFTP on Windows or Linux desktop OS is very problematic. A Synology NAS has TFTP capabilities as well as a ton of other features. The NAS has ActiveBackup, HyperBackup and that could be used to back up the VMs in your lab and your Office 365 tenant. There is Active Backup for M365, which is included and a great experience to setup.

BCDR skills are mandatory.

I see no better way to learn BCDR other than by doing it. Do not shortcut the size of the hard drives you put in the NAS. It is not worth it. You need lots of space to be able to fully utilize the NAS as your learning zone. Look at the price differences between hard drives. Do not get a smaller hard drive when a larger one would have cost $20 more.

Minimum NAS is DS218. The newer DS220+ is even better.

Suggest Seagate IronWolf Pro drives. Must use NAS rated hard drives. I suggest getting two of the 8 TB or larger hard drives as that will give you plenty of space to play with and they are quite affordable.

Priority recommendation

  1. NAS
  2. Domain/DNS/Office 365 tenant
  3. Network layer security appliance
  4. Layer 3 switch
  5. PowerEdge server

Learning resources

Learning server hardware notes

Tower style PowerEdge is cheaper than rack mount. We nearly always buy a rack mount so that it can be installed in a rack as that takes up less space and is easier to service.

You should assume 4 processor cores per server instance. So, if you do two VMs and a HyperV host, that is 3 x 4 cores, you will at least need a 12-core single processor server.

RAM, assume at least 8 GB per and RAM cannot be over allocated.

RAM must also be purchased in increments that work in that hardware. So 8x3 = 24 GB at least, I would round to 64GB.

I would want to go with 2x 2 TB hard drives on a PERC in RAID1 at a minimum.

Each C: drive (host and VMs) will be 200 GB.

Then on the Host you need space on D: for the VMs, their cold copies, and other things like file services.

Price diff between 1 TB hard drives and 2 TB hard drives is so minimal, that I would not limit it to 1 TB.

I put 1 TB hard drives in all laptops now and my team has 2 TB hard drives in laptops typically.

Then iDrac Enterprise.

Wireless learning

Good wireless design says that if you do more than 4 SSIDs on a single AP, you are going to have problems. Frankly, anything more than 2 is undesirable.

There are wireless design reasons for this which I won’t write a book about here. There are plenty of “wireless for dummies” resources available.

For security and management reasons, you need to have guests, separate from Chromebooks, separate from trusted wireless Windows laptops, etc.

So right there we are already at three SSIDs. Then you want to have different join policies for each. A guest network only works with a captive portal or you give everyone the PSK.

Chromebooks work best when they use certificate-based authentication to wireless. Chromebooks are cheap and you can get your own Chrome OS management tenant for $50/yr and setup certificate based wireless device authentication.

Windows laptops are most secure with RADIUS which is again certificate-based authentication. You do not have to have premise Active Directory to have RADIUS, so do not get sucked into that misunderstanding. We now have Azure AD and other resources such as WatchGuard Fireboxes with WatchGuard Cloud which can be a much more cost effective and easy to use/manage MFA-enabled RADIUS server.

PSK is considered insecure and problematic for a lot of reasons.

I go for configs which do not push more than two SSIDs through a WAP. So that is 3 VLANs if you are doing static VLAN to SSID mapping. Only two of those are SSID related VLANs. The third is the WAP Management VLAN. Anything more simply results in bad wireless design.

It is preferable to have a single SSID that devices join and get automatically redirected based upon policy and captive portal with dynamic VLAN assignment. Captive portal VLAN would be addition of another VLAN, and you would need very special security zone profile rules for that.

If you are doing dynamic VLAN assignment, you can push the required VLANs through to the AP, but you would never push management, OOBM, Tier0, Server, Printer, or similar VLANs through to an AP.

I would never do trunk all. There are many security issues with that.

So doing more than 3 wireless related VLANs only makes sense if you are using dynamic VLAN assignment. You can only do that if you have captive portal and the policies to support that. And you can only cost effectively do that with an enterprise grade cloud controller. A premise controller can be >$15,000 whereas the cloud controller comes with the subscription for the WAP.

On switches

Read Switching Paradigms

People complain about the cost of real switching equipment. Even many people in the IT industry seem to like Meraki and Ubiquiti. I avoid those completely. I am interested in the total cost of ownership. The hardware expense at acquisition is not a big deal. What really matters is that you do not have preventable limitations and your TCO is low comparably. Anything that wastes my time is very expensive. Anything that is not fast, reliable, and efficient to use, program, upgrade, troubleshoot, and maintain is expensive or a security risk.

Network infrastructure must be rock solid. Some next business day warranty or lack of a GTAC contract on critical infrastructure is a non-starter. A 4-hour response time warranty and quality GTAC support is mandatory. The only time I need to call for support is when something ugly is happening, and I want high quality support to call and hardware with excellent diagnostics and visibility into what is going on.

This directly translates to value, lowered time to problem resolution, and lower cost to the client.

I recently heard from someone who was complaining about the price of a X440G2-12P-GE4 switch on eBay. It was $800. That is way below partner cost for a new switch. Of course, that does NOT include warranty, service contract, support, or access to firmware. But it is a high-quality switch. An alternative Netgear switch with only 10 ports with about half the functionality was $700. So, I don't see the contest here. Pay $100 more for something that is smoking good compared to something that you know you are going to find limitations in. And I don't believe a 4-hour response time warranty contract is available for the Netgear. I know it does not have the same kind of high end GTAC support that Extreme has, nor does it have the same kind of switch capabilities. So, is my time differential over the life span of the switch worth more than $100? Obviously yes.

The biggest and most expensive errors I have seen people make in IT over the last 29 years is in procurement. They procure the wrong things. They have no procurement policy and highly likely no standards. Usually no strategy. Instead, IT just buys whatever IT thinks is cheapest at that time.

If you are a CFO, be aware that your IT director may be bringing you things that have a high TCO only because they are selecting things that look cheap in terms of acquisition cost. This is quite common as a lot of IT directors in the SMB space have no enterprise experience and lack the ability to articulate the value proposition for something that looks more expensive at acquisition time but has a lower TCO.

The best way to protect yourself against these problems is to have an outsourced CISO like QPC Security who can work with your team to design standards and who should be part of the procurement approval process BEFORE purchases are made. The single most effective thing you can do to control costs is to have a procurement policy.

On cloud controllers for wireless

I really like wireless cloud controllers because you can economically get super high-grade functionality on even a single AP.

If you were to try to do captive portal, WIPS, dynamic VLAN assignment on a local controller scenario, you are looking at a floor of about $30,000 hardware, licensing, implementation.

That is not a SMB price. A lot of hospitals will choke on that price tag, and school districts. So, it does not get done. But I can get that level of functionality with cloud controller in a single premise AP.

Cloud controllers have better, more accessible diagnostics. Less stuff to maintain. And when implemented properly with a proper technology selection, they can be just as secure as premise controllers.

Role based access control with a cloud controller and enforced MFA for PAM is easier. Trying to do that with a local controller is very difficult. High security, high functionality WAPs are not inexpensive.

The MSRP on a WatchGuard AP325 with Total Wi-Fi for 3 years is $900. That would probably turn into the $780 range to purchase from a partner. And you would want a mounting wall plate for it. That is $20. Total Wi-Fi is the only thing I use in my environments. The AP325 is tied to the Arista Cloud, and the WIPS is excellent.

Another advantage to the cloud controller is the ability to set up templates and then deploy them to different tenants. For example, I can engineer a master template for all clients, and then can display that template into a subtenant which makes onboarding faster. I can control settings higher up or let them be managed at the subtenant or even per group basis in a tenant.

So, if you had two buildings where you wanted different settings used, you can easily do that in cloud controller same tenant, different groups. Or you can use the same settings for two different buildings. That way as your user base moves from one building to the other, they have a seamless experience. If you were to try to do that with a local controller, that is a lot harder. I do not like WatchGuard's Wi-Fi 6 technology and won't use it. We are switching to Extreme Cloud IQ Wi-Fi.