Re: Recommended wireless AP for 400 users office

2015-02-04 Thread Paul Nash 
> I love the built-in remote packet captures, 

You, the NSA, and lots and lots of hackers, ALL love the remote packet capture. 
 If Meraki support can turn it on, so can someone who penetrates their systems 
(by getting a job there or by hacking), and then they get to see everything 
happening INSIDE your network.  Not just your WAN traffic, which would be bad 
enough.

paul

Re: Recommended wireless AP for 400 users office

2015-02-04 Thread Ray Soucy 
Honestly, in a lot of cases you don't even need a device to support
packet capture as a feature to add it as a feature once its
compromised.  This is just FUD IMHO.

On Wed, Feb 4, 2015 at 7:24 AM, Paul Nash  wrote:
>> I love the built-in remote packet captures,
>
> You, the NSA, and lots and lots of hackers, ALL love the remote packet 
> capture.  If Meraki support can turn it on, so can someone who penetrates 
> their systems (by getting a job there or by hacking), and then they get to 
> see everything happening INSIDE your network.  Not just your WAN traffic, 
> which would be bad enough.
>
> paul



-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

Re: Recommended wireless AP for 400 users office

2015-02-04 Thread Paul Nash 
It’s the “remote capture” that scares me.

I was testing some Meraki kit, called their NOC to try to debug some Radius 
issues, tech tells me “oh yes, I can see your traffic going hither and yon 
between the test client and test server that are both in your office, and 
looking at the packet contents I can see ….”

With Ruckus (or almost any other) gear, I have to either open up a hole through 
my firewall or grab the packet traces and send them to the tech folk.  They 
don’t have uncontrolled access to my internal traffic out of the box.

paul


> On Feb 4, 2015, at 8:31 AM, Ray Soucy  wrote:
> 
> Honestly, in a lot of cases you don't even need a device to support
> packet capture as a feature to add it as a feature once its
> compromised.  This is just FUD IMHO.
> 
> On Wed, Feb 4, 2015 at 7:24 AM, Paul Nash  wrote:
>>> I love the built-in remote packet captures,
>> 
>> You, the NSA, and lots and lots of hackers, ALL love the remote packet 
>> capture.  If Meraki support can turn it on, so can someone who penetrates 
>> their systems (by getting a job there or by hacking), and then they get to 
>> see everything happening INSIDE your network.  Not just your WAN traffic, 
>> which would be bad enough.
>> 
>>paul
> 
> 
> 
> -- 
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
> 
> T: 207-561-3526
> F: 207-561-3531
> 
> MaineREN, Maine's Research and Education Network
> www.maineren.net

Re: Checkpoint IPS

2015-02-04 Thread Eugeniu Patrascu 
On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren  wrote:

>  Le 03/02/2015 16:21, Eugeniu Patrascu a écrit :
>
> On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren 
> wrote:
>
>> Hi,
>>
>> Someone has positive or negative experience running
>> Checkpoint IPS cluster over ``long distance'' synch.
>> network? Real life limitations? Alternatives? Timers?
>>
>>
>  You can do "stretched" with Check Point as long as the network delay is
> less than around 70-100 msec RTT or so. If you do this, run your firewalls
> in Active/Standby modes.
>
>
> Thanks Eugeniu, I see what you mean. The specific case I'm looking at is
> about asymmetric routing, though.
>

Firewalls/IPS and asymmetric routing don't play nice. Try to change your
setup/design so that traffic enters/leaves your network segments through
the same security device.

Re: Checkpoint IPS

2015-02-04 Thread Roland Dobbins 

On 2 Feb 2015, at 19:53, Michael Hallgren wrote:

> Real life limitations?



---
Roland Dobbins

Hulu NOC contact request.

2015-02-04 Thread Timothy Nowaczyk 
We are an ISP and some of our customers are being blocked from Hulu because 
Hulu thinks they’re using a proxy service even though the customers have a 
straight pipe to the internet. Is there anyone on here from Hulu that can help 
me get my IPs unblocked? Please contact me off-list.

Thanks,
Tim Nowaczyk

--
Timothy A. Nowaczyk
Senior Network Manager
All Points Broadband
+1.703.554.6622 (o)
+1.571.318.9434 (c)
tnowac...@allpointsbroadband.com

Re: Checkpoint IPS

2015-02-04 Thread Michael Hallgren 
Le 04/02/2015 17:07, Eugeniu Patrascu a écrit :
> On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren  > wrote:
>
> Le 03/02/2015 16:21, Eugeniu Patrascu a écrit :
>> On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren
>> mailto:m.hallg...@free.fr>> wrote:
>>
>> Hi,
>>
>> Someone has positive or negative experience running
>> Checkpoint IPS cluster over ``long distance'' synch.
>> network? Real life limitations? Alternatives? Timers?
>>
>>
>> You can do "stretched" with Check Point as long as the network
>> delay is less than around 70-100 msec RTT or so. If you do this,
>> run your firewalls in Active/Standby modes.
>>
>
> Thanks Eugeniu, I see what you mean. The specific case I'm looking
> at is about asymmetric routing, though.
>
>
> Firewalls/IPS and asymmetric routing don't play nice. Try to change
> your setup/design so that traffic enters/leaves your network segments
> through the same security device.

I know. However, I fail to see symmetric traffic flow as ``natural'',
apart from maybe at the extreme edge of a network. So, need another
inspection strategy I think.

Thanks,

mh

Re: Checkpoint IPS

2015-02-04 Thread Michael Hallgren 
Le 04/02/2015 17:19, Roland Dobbins a écrit :
> On 2 Feb 2015, at 19:53, Michael Hallgren wrote:
>
>> Real life limitations?
> 

Right ;-) Among many other nice ones, I like:

`` ‘IPS’ devices require artificially-engineered topological symmetry-
can have a
 negative impact on resiliency via path diversity.''

Cheers,

mh

>
> ---
> Roland Dobbins

Re: Checkpoint IPS

2015-02-04 Thread Roland Dobbins 

On 5 Feb 2015, at 13:51, Michael Hallgren wrote:

> So, need another inspection strategy I think.

The real question is, why 'inspect', at all? 

---
Roland Dobbins

Re: Checkpoint IPS

2015-02-04 Thread Michael Hallgren 
Le 05/02/2015 08:01, Roland Dobbins a écrit :
> On 5 Feb 2015, at 13:51, Michael Hallgren wrote:
>
>> So, need another inspection strategy I think.
> The real question is, why 'inspect', at all? 

Yes, that's an even more interesting discussion!

mh

>
> ---
> Roland Dobbins