Blog

Ubiquiti UniFi Controller Management Software

Ubiquiti offers enterprise products at drastically reduced costs (e.g. compare the cost of their offerings to those from Meraki or Meru).

What is the Ubiquiti Controller?

Before you start installing any components you need to know about the Ubiquiti Controller. This is the management software for organizing one’s network.

The Ubiquiti controller is available for free download for Windows, Mac, or Linux; or one can use a Cloud Key. It requires the Java Runtime Environment and a web browser.

One can run the software on a management station (computer/server) at the location of the network or in the cloud.

Moving Between Controllers

  1. Log into the current controller.
  2. Go to Settings –> Site.
  3. Under Device Authentication, ensure you have set and know the current SSH username/password used to access devices.
  4. Go to Settings –> Maintenance.
  5. Download backup.
  6. Close controller window in browser.
  7. Right click on Ubiquiti Unifi Controller app and choose Quit.
  8. Login to new controller.
  9. Go to Settings –> Maintenance.
  10. Choose Restore and select recently created backup file.
  11. “Working Please Wait” appears on the screen indicating the unit is applying the update and rebooting. For me, this never seemed to go away, but I was able to launch a new instance of the controller web GUI without incident.

Building Security

Resources on Building Security

If you are interested in securing physical buildings, this post is for you. I’ve assembled a few terms, a lot of vendors, and added various notes on their offerings. Also some resources at the end of the article for further exploration.

Some Basic Things to Note

  • Building Security can cover a number of technologies including:
    • Access Control – Who can get in and out of the building, through which doors, and when.
    • Intrusion Detection – Notifications when the building has been breached – e.g., a door has been forced open or a window has been smashed.
    • Cameras – Indoors and outdoors.

Vendors

  • Allegion
    • One of their brands appears to be Schlage.
    • Their consumer based site is more easily navigable, but doesn’t include the advanced features for commercial use.
    • Their Schlage AD Networked (Wireless) appear to cost around $1k each. They are meant for doors with a regular handle, not those usually associated with external entrances.
    • Also offers a line called ENGAGE.
  • ASSA ABLOY
    • Sargent Lock – Options don’t appear as robust as SALTO.
    • Yale Locks & Hardware
    • Under their own name offer PROTEC2 CLIQ, which appears to allow for programmable keys to be used with mechanical locks.
    • Also under their own name is Aperio, which is a wireless solution. It appears to be used as an integration into existing AC solutions rather than one on its own.
  • Bosch Security
    • Offers the AMC2 for 1-8 doors. There are then expansion cards which allow one to add additional doors, these cards can handle another eight or sixteen doors, depending on the model.
    • Offer a number of different types of card readers including proximity and biometric.
    • Their Access Professional software can manage up to 10k records.
    • Also has the Access Easy Control System which appears to be quite scalable.
    • Concluding Thought: Could be more IP / wireless / smartphone / etc. based.
  • Cloudastructure
    • An Access Control solution as a service, also provides video.
    • Pricing is per door for access control. Without a contract this is $16.50/mo. if paid annually.
    • Cost for hardware is $349/door without a BBU, or $699/door with a BBU.
    • You don’t have to use their cloud surveillance service with cameras, but if you choose to do so cost is $20.75/mo. per camera when paid annually.
    • Supports any readers that output in the Wiegand format.
    • Equipment is guaranteed for life.
  • CPI Security
    • Looks interesting, offers home and business systems.
  • Genetec
    • Impressive series of solutions.
    • Supports ASSA, SALTO, and Allegion locks (all provide wireless options).
  • Honeywell
  • IDenticard
    • Offers the PremiSys Access Control System
      • PremiSys LT – up to 8 doors.
      • PremiSys – up to 40 doors.
      • PremiSys Pro – unlimited doors.
        • Pricing on the site indicates cost is $3,495 for a single network license.
    • PremiSys includes smartphone access.
    • There is also a PremiSys NDE option which integrates with Schlage (Allegion’s) NDE locks.
  • Johnson Controls
    • Merging with Tyco.
  • Keri Systems
    • NXT System – Hardware, integrates directly with existing IP network.
      • PXL-500 is their legacy system.
    • Doors.NET – Software, written using .NET Framework and SQL Server.
      • Doors 32 is their legacy system. It is available as a free download.
    • Also has other solutions – e.g., telephone based access control, single door controller.
  • Keyscan Access Control Systems
  • Lenel
    • Offers integrated solutions for access control (OnGuard), video (Prism, Lenel NVR), intrusion, and fire.
    •  OnGuard
      • Has a self-service component allowing individuals to easily request new clearances.
  • ProdataKey (PDK)
    • Offers a wireless mesh access control system.
    • Requires a appliance which can be virtual or physical to access as the brains.
    • One can purchase single or eight door controllers, which communicate back to the central appliance.
    • Gateways allow for connecting multiple buildings.
    • They also sell repeaters to strengthen signal.
  • S2 Security
    • Offers Access Control Systems as well as Video Systems.
    • Access Control Systems
      • S2 NetBox – For up to 32 portals.
      • S2 NetBox Extreme – For up to 128 portals.
        • Has the ability to oversee multiple locations.
      • S2 NetBox Enterprise – For up to 7,000 portals, available in an HA configuration.
      • Also S2 Global.
      • Difficult to find pricing.
  • SALTO Systems
    • Offers several innovative product lines, integrates with Tyco’s Software House.
    • Biggest downside is that while there is smartphone as identity support, one has to launch and interact with an app to utilize it.
    • Another (possible) downside is that it uses ZigBee protocol. This means less energy consumption for wireless devices but also that it has to maintain its own network in addition to the wireless network.
  • Tyco Security Products
    • CEM Systems – Sells the AC2000 series.
    • Kantech – Offers “starter kits” that come prepackaged with necessary equipment.
      • Each enclosure controls 8-12 doors.
    • Software House
      • C•CURE is their overall system, integrating access control, security, and video.
      • iSTAR Ultra Door Controller – Controls up to 32 doors.
  • Vanderbilt Industries
    • Access Control Systems
      • lite blue – 2-8 door.
      • bright blue – 32 door.
      • SMS
    • Also carries security video.
  • Viscount Systems
    • Access Control Systems
      • Supposed to be “IT-centric”, doesn’t require “control panels.”
      • Allows for smartphone authentication.
      • This company looks fairly amazing, but what is the pricing?

Other Vendors

Resources

Storage Area Networks (SANs)

General Concepts

  • iSCSI is an IP protocol that works over the TCP/IP network.
  • The clients reading from the iSCSI SAN are called initiators.
  • The chunks of storage presented by an iSCSI SAN to clients are called targets. One SAN can have multiple targets.
  • iSCSI is usually seen as a competitor to Fibre Channel (FC) which uses dedicated connections and switching which are pricey. In comparison, iSCSI operates over regular networks (e.g. switches and ethernet cabling).
  • One can have a software or hardware iSCSI initiator. In either case one is using the network, the difference is whether the regular network adapter is used for this purpose or a dedicated host bus adapter – which is essentially a network adapter with special capabilities that allow it to process iSCSI commands faster than a regular network card. It also reduces the load on the initiator’s CPU as it utilizes the HBA to perform necessary computations.
  • A LUN (logical unit number) is a portion of an iSCSI SAN which can be addressed specifically.
  • Ports Utilized: 860, 3260 (TCP)
  • The most common way to address a LUN is using its iSCSI Qualified Name (IQN), although Extended Unique Identifier (EUI) and T11 Network Address Authority (NAA) are sometimes used.
  • Internet Storage Name Service (iSNS) is a sort of DNS iSCSI initiators can use to discover iSCSI targets.

iSCSI SANs

  • Dell
    • Offers three series: SC, MD, and EqualLogic PS.
    • The SC Series is based on Dell’s acquisition of Compellent.

Switches

  • Brocade
  • Cisco
  • Emulex
  • QLogic

Connectors

  • SC Connector
  • LC Connector

Fiber

  • Single Mode
  • Multi Mode

Host Bus Adapter (HBA)

Software

  • Openfiler
  • metaSAN
  • XSan
  • StorNext
  • Red Hat GFS
  • VMWare VMFS
  • QFS

Metadata

Resources

  • Derrick Wlodarz. Windows Storage Spaces and ReFS: Is It Time to Ditch RAID for Good? BetaNews, 2014.

For Post-Production

Video Storage Companies/Product Lines

  • Apace Systems
    • Offers the vStor and eStor lines.
    • Pricing wasn’t available from B&H or CDW as of 5/20/16.
  • Avid
    • Offers NEXIS and ISIS lines of storage, with ISIS apparently being focused more on media storage.
    • B&H pricing as of 5/20/16:
      • Avid ISIS 1000 w/20TB (2x SSD) – $13,995.
  • dotHILL
    • This is a Seagate company, product line is AssuredSAN.
    • Pricing was unavailable for B&H as of 5/20/16.
    • Only one unit had pricing associated on CDW as of 5/20/16:
      • AssuredSAN (4000) Ultra56 J6G56 3/336 TB (56x HDD) – $119,523.
  • Dynamic Drive Pool
    • Pricing was unavailable from B&H or CDW as of 5/20/16.
    • Appears they have to be bought through a reseller, in U.S., CineSys-Oceana
  • EditShare
    • Offers XStream product line.
    • Appears units are only available directly from EditShare.
  • Facilis
    • Offers the Terrablock product line.
    • Appears units are only available directly through Facilis.
  • Grass Valley
    • K2
    • Appears the units must be bought through Grass Valley or one of their resellers/integrators/distributors.
  • Maxx Digital
    • ActiveRAID
  • Promax Platform
  • Promise
    • VTrak A-Class
  • Small Tree
    • GraniteSTOR
  • Studio Network Solutions
    • EVO is their shared storage workflow server which offers hybrid storage (SAN and NAS).
    • Includes ShareBrowser, a file/project/asset management interface designed for collaborative media teams.
    • B&H pricing as of 5/20/16:
      • EVO 16 Bay Base Media Server w/12TB (iSCSI) – $36,999.
      • EVO 8 Bay Shared Media Storage Server w/48 TB – $17,995.
    • CDW pricing as of 5/20/16:
      • EVO Prodigy w/4 TB – $8,185.
  • Tiger Technology
    • Product line is called Tigerbox.
    • No pricing is available on either CDW or B&H as of 5/20/16.
  • Other World Computers (OWC)
    • Offers several different product lines, the enterprise level is primarily the Jupiter line (Kore and Callisto).
    • B&H has pricing on some of OWC’s products, but OWC also offers the products prices right on their site.
    • They also have a more corporate site that focuses more on talking about products called OWC Digital.
    • Prices on MacSales (OWC) as of 5/20/16:
      • Callisto 8-Bay w/16 TB – $4,988.
      • Kore 8-Bay w/16 TB – $3,288.
      • Callisto 8-Bay w/24 TB – $6,288.
      • Callisto 8-Bay w/32 TB – $7,188.
      • Callisto 8-Bay w/48 TB – $11,988.
      • Callisto 8-Bay w/64 TB – $13,888.
      • Kore 8-Bay w/64 TB – $10,988.
      • Callisto 16-Bay w/32 TB – $8,588.
      • Kore 16-Bay w/32 TB – $5,428.
      • Callisto 16-Bay w/48 TB – $10,788.
      • Callisto 16-Bay w/64 TB – $11,988.
      • Callisto 16-Bay w/96 TB – $20,888.
      • Callisto 16-Bay w/128 TB – $25,588.
      • Kore 16-Bay w/128 TB – $20,388.

Resources

Media Storage

General

Switches

Types of Switches

Features of Switches

  • Management Interface
    • Browser
    • CLI
  • Cable Diagnostics
  • QoS (Quality of Service)
  • EEE (Energy Efficient Ethernet)
  • PoE (Power over Ethernet)
    • 802.3af – Power up to 15.4 Watts/port.
    • 802.3at (PoE+) – Power up to 30 Watts/port.
  • SNMP (Simple Network Management Protocol)
  • RMON (Remote Network Monitoring)
  • VLANs
  • 802.1x (Endpoint Authentication)
  • ACLs (Access Control Lists)
    • Flexible Dropping
    • Rate Limiting
    • Mirroring
    • Logging by various factors (L2, L3, TCP/UDP port nums., etc.)
  • 802.1q/TOS/DSCP
  • L2 Switching
  • L3 IP Routing
  • Network Storm Control
  • DoS (Denial of Service) Protection
    • Dynamic ARP Inspection
    • IPv4 DHCP Snopping
    • IPv6 First Hope Security w/RA Guard
    • ND Inspection
    • Neighbor Binding Integrity
  • Control Plane Policing (CoPP)
  • 802.1x
  • VRRP (Virtual Router Redundancy Protocol)
  • Link Aggregation
  • Spanning Tree Root Guard
  • BPDU Guard
  • IGMP and MLD Snopping
  • Querier functions for optimizing IPv4/v6 multicast traffic
  • TCP Congestion Avoidance
  • 4 or 8 Queues to Treat Traffic Differently by Importance
  • Setting / Tagging Traffic by L2 (802.1p) or L3 (DSCP/TOS)
  • Rate Limiting Traffic
  • Device Discovery
    • CDP
    • LLDP
    • Bonjour
  • Troubleshooting
    • VLAN Monitoring
    • Port Monitoring
    • Traceroute
    • Ping
    • Syslog
    • Cable Diagnostics
    • RMON
  • Unicast
  • Multicast
  • Netflow/SFlow
  • MPLS/VRF Support
  • Speed
    • Fast Ethernet (10/100 Mbps)
    • Gigabit Ethernet (10/100/1000 Mbps)
    • Ten Gigabity (10/1000/1000/10000 Mbps)
  • Uplink Ports
  • Downlink Ports – Connect to end users.
  • Uplink Ports – Connect to switches, other network infrastructure.
  • Number of Ports – Typically 5, 8, 10, 16, 24, 28, 48, 52.
  • Type of Ports
    • Copper / RJ-45: 100 meters.
    • Fiber SFP: 40 kilometers.
  • Static Routing
  • Policy Based Routing
  • ANSI/TIA-1057: LLDP-Media Endpoint Discover (MED)
  • IEEE 802.1AB: Link Layer Discovery Protocol (LLDP)
  • IEEE 802.1Q: Virtual LANs with Port-Based VLANs
  • IEEE 802.1p: Ethernet Priority with User Provisioning and Mapping.
  • IEEE 802.3: 10 BASE-T
  • IEEE 802.3u: 100BASE-T
  • IEEE 802.3ab: 1000BASE-T
  • IEEE 802.1ak: Virtual Bridged Local Areea Networks – Amending 07: Multiple Registration Protocol
  • IEEE 802.3ac:  VLAN Tagging
  • IEEE 802.3ad: Link Aggregation
  • IEEE 802.3x: Flow Control
  • IEEE 802.1D-2004: Generic Attribute Registration Protocol: Clause 12 (GARP)
  • IEEE 802.1D-2004: Dynamicd L2 Multiplecast Registration: Clause 10 (GMRP)
  • IEEE 802.1Q-2003: Dynamic VLAN Registration: Clause 11.2 (GVRP)
  • RFC 4541: Considerations for Internet Group Management Protocol (IGMP) Snooping Switches
  • RFC 5171: Unidirectional Link Detection (UDLD) Protocol
  • Broadcast Storm Recovery
  • Broadcast/Multicast/Unknown Unicast Storm Recovery
  • IGMP Snooping Querier
  • Independent VLAN Learning (IVL) Support
  • Jumbo Ethernet Frame Support
  • Port MAC Locking
  • Port Mirroring
  • Protected Ports
  • Static MAC Filtering
  • Voice VLANs
  • Unathenticated VLAN
  • Internal 802.1X Authentication Server
  • DHCP Server
  • Routing
  • MAC Addresses
  • MSTP Instances
  • LAGS
  • ACLs
  • Traffic Classes (Queues)
  • RFC 2021: Remote Network Monitoring Management Information Base V2
  • RFC 2030: Simple Network Time Protocol (SNTP)
  • RFC 2819: Remote Network Monitoring Management Information Base
  • RFC 2865: RADIUS Client
  • RFC 2866: RADIUS Accounting
  • RFC 2868: RADIUS Attributes for Tunnel Protocol Support
  • RFC 2869: RADIUS Extensions
  • RFC 3579: RADIUS Support for EAP
  • RFC 3580: IEEE 802.1X RADIUS Usage Guidelines
  • RFC 3164: BSD Syslog Protocol
  • SNMP v1, v2, v3
  • SSH 1.5, 2.0
  • SSL 3.0, TLS 1.0
  • Secure Copy (SCP)

Spanning Tree Protocol (STP)

  • Spanning Tree Protocol (STP, IEEE 802.1d)
  • Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – A protocol that enhanced the base STP functionality.
  • Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – Provides a way to have multiple spanning trees for multiple VLANs while reducing the compute power required.

Resources

Virtual LAN (VLAN)

  • Private VLAN
  • Voice VLAN

Link Aggregation (LAG)

  • Allows multiple connections to be logically organized as a single connection. This also allows for a network connection to continue operating (at reduced speeds) with the failure of one or more of the physical links.
  • Split Multi-Link Trunking (SMLT) – Allows for ports to be aggregated across multiple physical devices.
  • Routed-SMLT (RSMLT) – Allows for ports to be aggregated across multiple physical devices.

Resources

Quality of Service (QoS)

  • Differentiated Services (DiffServ).
  • Class of Service (CoS).

Access Control Lists

  • Time-Based
  • Source/Destination IP
  • TCP/UDP Source/Destination Port
  • IP Protocol Type
  • Type of Service (ToS)
  • Differentiated Services (DSCP)
  • Source/Destination MAC Address
  • EtherType
  • IEEE 802.1p User Priority
  • VLAN ID
  • RFC 1858: Security Considerations for IP Fragment Filtering.

Authentication

  • TACACS+ / RADIUS
  • PPP (Point-to-Point Protocol) – Offers way to authenticate a user.
  • EAP (Extensible Authentication Protocol) – Extends the methods of authentication available via PPP.
  • IEEE 802.1X – For passing EAP without the use of PPP.
    • Supplicant – Client requesting authentication.
    • Authentication Server – Performs authentication.
    • Authenticator – The device to which the request has been made (e.g., a WAP or switch).

Resources

  • Joel Snyder. What is 802.1X? Network World, 2010. – Solid overview, explains 802.1X as well as PPP and EAP.

Network Switch Companies

Bibliography / Further Reading

  1. [1]Also known as lightly managed switches

Firewalls

This document provides some resources on firewalls including terms, features to look for, and vendors.

Terms Not Defined Elsewhere

  • Stateful Firewall – Inspects protocols.
  • Next Generation Firewall – Inspections applications.

Vendors

  • Astaro
  • Check Point Software
  • Cisco Systems
    • Meraki
  • Fortinet
  • Juniper Networks
  • McAfee
  • Palo Alto Networks
  • SonicWALL

Features to Look For

  • VLAN Support – Ability to create VLAN’s to separate traffic.
    • Ubiquiti UnFi Security Gateway – Supports.
    • Meraki MX400 Security Appliance
  • IPSec VPN Support – Allows remote clients to establish a VPN connection to the network.
    • Meraki MX400 Security Appliance – Supports.
  • Site-to-Site Virtual Private Network (VPN) Support – Ability to create a VPN between two sites.
    • Ubiquiti UnFi Security Gateway – Supports.
    • Meraki MX400 Security Appliance – Supports.
  • Quality of Service (QoS) Support – Ability to prioritize some network traffic over other types of traffic.
  • Ports – How many ports will you need incoming and outgoing? Of what type?
    • Ubiquiti UniFi Security Gateway
      • 2x 1Gb RJ45 ports, 2x 1Gb RJ45/SFP Combination Ports.
      • 1x RJ45 Serial Port (Console).
    • Meraki MX400
      • 12x GbE.
      • 8x GbE (SFP).
      • 2x 10 GbE (SFP+).
  • Layer 3 Forwarding Performance
    • Ubiquiti UniFi Security Gateway
      • Packet Size of 64 Bytes – 2,400,000 pps.
      • Packet Size of 512 Bytes or Larger – 4 Gbps (Line Rate).
  • Processors/Memory/Storage
    • Ubiquiti Unifi Security Gateway
      • Dual-Core 1 GHz, MIPS64 w/Hardware Acceleration for Packet Processing.
      • 2 GB DDR3 RAM.
      • 4 GB Flash Storage.
  • Redundant Power
  • 3G/4G Modem Support
  • Recommended Maximum Clients
    • Meraki MX400 Security Appliance – 2,000.
  • Stateful Firewall Throughput
    • Meraki MX400 Security Appliance – 1 Gbps.
  • Advanced Security Throughput
    • MX400 – 1 Gbps
  • Maximum VPN Sessions
    • MX400 – 1,000
  • Layer 7 Application Type Filtering – Ability to filter traffic at the application level – e.g., P2P, video games, etc.
    • Meraki MX400 Security Appliance – Supports.
    • Ubiquiti Unifi Security Gateway
  • Content Filtering
    • Meraki MX400 Security Appliance – Supports.
  • Intrusion Prevention (IPS)
    • Meraki MX400 Security Appliance – Uses PCI compliant IPS which utilizes SNORT Signature DB from Cisco Sourcefire.
  • Antivirus / Antiphishing
    • Meraki MX400 Security Appliance – Uses Kaspersky.
  • Identity Based Security Policies and Application Management
    • Meraki MX400 Security Appliance – Supports.
  • Branch Gateway Services
    • DHCP
    • NAT
  • Web Caching – Cache frequently accessed content.
  • Load Balancing – Combines multiple ISP links into a single high speed source.
  • Warranty

Comparisons

 

Further Resources

Windows 10

We will only be looking at Windows 10 Pro and Enterprise.

Common Features

  • Customizable Start Menu
  • Windows Defender
  • Windows Firewall
  • Hiberboot
  • InstantGo
  • TPM Support
  • Battery Saver
  • Cortana
  • Hello
  • Virtual Desktops
  • Snap Assist
  • Snap Apps
  • Switch from PC to Tablet Mode
  • Switch from Mobile to PC Mode
  • Edge
  • Domain Join
  • Group Policy Management
  • Enterprise Mode Internet Explorer (EMIE)
  • Assigned Access
  • Remote Desktop
  • Client Hyper-V
  • Side-loading of Business Apps
  • Mobile Device Management
  • Ability to Join Azure Active Directory with SSO to Cloud-Hosted Apps
  • Add User State Roaming with Azure Active Directory
  • Windows Store for Business
  • Dynamic Provisioning
  • Passport
  • Device Encryption
  • Enterprise Data Protection
  • BitLocker
  • Trusted Boot
  • Conditional Access
  • Windows Update for Business
  • Current Branch for Business

Features of Enterprise

  • Direct Access – Provides an easy-to-implement VPN solution.
  • Windows To Go Creator – Boots from a USB.
  • AppLocker – Whitelist / Blacklist Apps.
  • BranchCache – Caching for branch offices connected over WAN.
  • Start Screen Control with Group Policy
  • Advanced Granular UX Control
  • Credential Guard – Protects Domain Credentials.
  • Device Guard – Uses virtualization to isolate processes.
  • Long Term Servicing Branch

Further Reading

Microsoft Desktop Optimization Pack (MDOP)

Components

  • Application Virtualization (App-V)
  • User Experience Virtualization (UE-V)
  • Bitlocker Administrator and Monitoring (MBAM)
  • Advanced Group Policy Management (AGPM)
  • Diagnostic and Recovery Toolkit (DaRT)
  • Enterprise Desktop Virtualization (MED-V)

Resources

Do We Really Need to Worry About Security?

Sometimes businesses don’t take security seriously, here are a few articles that might help you change your employer’s mind:

Somebody Was Being Funny…

At one point, while working with Microsoft Data Protection Manager I came across the following humorous quote – unfortunately I don’t have the source. Enjoy!

“When asked how to find out who owns an application running on some physical or virtual server, or to know whether anyone is using the server, the simple answer is to just unplug the server from the network or pause the virtual guest session. If someone is using the application, you will hear from that person pretty quickly. There are obviously more elegant ways to identify application ownership and usage monitoring access to the system, even by sending a message out to query the organization if anyone knows who is administering, managing, or using an application. However, there comes a point where the disconnect/pause message returns a much faster approach.”