 So, I did the physical tour of my network, and now this is the virtual tour and generally how it's set up. Now, everything comes in. We're right now using Comcast as our ISP. They're Comcastic, and that's a whole other story, but that's what's available in my area for their business class internet. And we have the business class along with several IP addresses. Everything's handed off to the PF Sense. Now, this network map I have eliminated all the IP addresses from, not that I believe in any type of security through obscurity, but hey, why give anyone an edge? You have to work for it. And if they hack me, at least I know they put some effort into it. So, we have the shop, and it has a DHCP range of 16 to 239 with a lot of little reservations in between. Then we have our free NAS, and things that run under free NAS such as the was called crucible. I just need to update the map because it's now called clone deploy. On this side of the network, we have the Unify-Aware list, our VoIP phones, client computers, employee computers, and that's all on this side of the network. Then we have this free NAS box and a PHP virtual box that have dual network cards. Now, these are the two real servers besides the PF Sense that are physical on the network. Everything from there from the PHP virtual box is a whole series of virtual machines. And that's also why this has two network cards. Some things need to be on this side of the network, which is our shop and LAN side. And this is what we've called LAN 2 or the business side of our network where we have all the servers. Now, the only servers that are really on the other network card is just the Unify system. Makes it easier to manage when we're deploying Unify devices. So they come in, we set them up over here. This is also where the Unify cameras are that watch the store. And so when we're adding things to this or deployments, they all go on this side of the network. So this technically is IP ranged over here via the other network card and moved over to here. The other ones are just on this network and tied to this physical switch. And these are the two physical switches I showed in my network tour. PF Sense controls the access between each of these. Now, this one server 2012 is actually a client server, one network that plugs into here and has a very lockdown set of rules to get out for some data stuff that we host for a client here internally for some of their backups and things like that. We actually just hosted here. It's part of a quick book steal. Won't get too much into that. Anyways, so each of these servers is running separately. And here's what they look like over here. I've done a whole tour on how PHP virtual box works. And with PHP virtual box, it's really nice, simple system, easy to import, easy to export. Watch the video I did on this. And it's really easy to take one of these servers, export it, run it on a local machine. So something tragic happens to the virtual box with its SSD rate array and everything built well, it still could happen. Things break. That means we can just take one of these from a backup and throw it back over here onto a local machine. So it makes it really simple transition for disaster recovery planning until we can get that machine in the back sorted out. The only problem we've ever had is one time a power supply just decided not to come on anymore and cause the machine to crash. But no real issues there. It's only ever happened once. So let's talk about how this looks like in PF sense, what it takes to configure this. Here are the rule sets I'm using for the land on PF sense. So because all the computers click here, we've got this access control list. And this access control list has all the computers inside of it that are needed to get to the other side of the land. So this is a list and it's based on DTP reverberation. So each one of the client computers, which are my employees computers and my computer that have access to the land to section are in that list. And there's not many in there's only a couple, most things don't need access to it. And it also keeps other computers from just jumping over there. Now even once you jump over there, all the computers on the land to side lockdown support SSH login only and only have the ports open are necessary in the case of like the wiki and our point sales slash CRM system. It's all port 443 only with cell science certificates and there's usernames and passwords on that. So the level the layers you have to get through we've tried to make that you know, if someone gets on a network and gets the IP address and then gets over to that side of the network, they still have to have a username and password and accept a self science certificate. So we try to keep all the layers in place to keep this locked down. Now the only external access we have all those machines do not allow external access. So there's no WAN rules that allow you to come into that with the exception of screen connect because well, you have to if not way you're going to do it remotely that's protected with a let's encrypt SSL cert and then dual factor authentication because everywhere we can have we do have two factor authentication time based I don't do SMS or email verification for those all that's time based authentication. Now open VPN is another way with another thing I've done reviews on this and the way we have that secured is with two certificates. So you have the TLS certificate that you have to have you have to have the elder open viens open VPN certificate that was created when you create with the wizard open VPN, then username and password. So for each employee, there's two certificates have to be installed on computer and have the username and password. So you would have to take their computers with all the search on it and have their user and have their password which isn't saved when they log in each time they got to type in each time. So we try to keep the layers pretty thick there to get into the network. And once it's into the network, then we can the day you're still faced with the same challenge of there's a pinhole that only allows them to get to certain things on land to and those things, for example, like the point of sale and those have username password and firewall rules again on them. So we keep the everything pretty locked down as best we can. Now fire the firewall itself. A lot of people say how do I configure to make a PF sense more secure? Maybe I'll do a specific video on it, but I kind of cover it right here. We use the suricada I believe so I pronounce that for intrusion detection. And we're running it on each one of the network interfaces so I can see what's going on and flag things based on each interface. The other thing we run is PF Blocker. I need to do a video on suricada, but I did a video already on PF Blocker. It's great. It just dramatically eliminates the number of issues I see in suricada. If I turn it off, I get a lot more IPS logs because there's so much stuff coming from foreign countries and places we don't get. Now the only problems I've ever run into is when we're doing foreign support overseas. I've run into it once while where PF Blocker blocks their ability to see screen connect on there. So I'll have to figure out what their IP address is and make an exception to that. Or I've temporarily disabled it so I can get someone connected in and sorted it out afterwards because sometimes as well, that happens. This is some of the work I do with PF Sense. We've got to get in remotely for things. And if we're blocking it, you can't get in there. But those two things are really enough to make it solid. Now we're not using the DNS BL, which is the PF Blocker. So it blocks certain things on the up on. It basically creates a black hole that you can send things to. I'm not huge on that. I don't know. Maybe I'll play with it later. I didn't find it to be very helpful. And it randomly blocked things that were helpful to us and we're trying to navigate the web. So didn't really use that. But the Suricada really nice system, auto block list, things like that. I'm going to do a video later on that. I've just been, I try to be very thorough in my usage of it, even deployed on my network. And then I do the video on it. That way I can answer a lot of questions that always arise after the video. And so my video can be more in depth so I can talk about my usage of it. Now that's just kind of the basic overview of how the network works here. And it's, like I said, not super complicated. That's actually what makes it easier to manage for me. I've seen some people come up with overly complicated things. If it's too complicated, it can be hard to manage. I go for simplicity and just best practice of locking everything down. Lock down all the servers. So only the ports needed, no exceptions, only the ports needed are opened. And then for the SSH, only password, password authentication is enabled. Only key authentication on each of the servers. All the servers are auto updating through the auto apt-get script. So it makes sure all security patches are being applied in real time. Because I what if I'm not here and there's some big outbreak and they release a patch for it. And I'm not at the desk and something could happen. The same thing with the firewall. Everything's locked down on a firewall except for what's needed. No exceptions. We also, for remote administration, you can't get into the firewall remotely without an open VPN. The only way in is through open VPN. We don't have any SSH ports open or anything like that. This keeps just, you know, helps me sleep at night to have everything in a locked down manner. Two separate networks. And even the Wi-Fi. You see in the Wi-Fi system, that's on a separate network as well. There's a reason why. Because just in case you happen to get my Wi-Fi password and you're on my network, which also turns itself off when we're not open. We actually have the setup to power off the Wi-Fi because if we're not here, what are we using it for? And based on all that, if you get in, you're still on the other side of the land, you have to work your way back over to land 2 through the firewall rules. So all that being said, and with all these different tools, I feel fairly secure but I still wear a tinfoil hat because, you know, I don't want any edge. But if you see something I'm doing wrong, please put it in the comments below because you're never as wrong as you when you're wrong on the internet. And let me know if you see something like, hey, you should do this because that would be better. But I try to keep best practices. I try to keep everything locked down and secure. But I'm open minded and realized that at some point, like, I can make mistakes as well. That's also probably the reason I share this. You know, if we see someone make a mistake, you know, probably some people like to start with you're an idiot. But that's okay. I accept those people who want to do that. And as long as you tell me what I'm an idiot about, I'll be pretty happy. So thanks for watching. If you like to content here, like and subscribe. And hopefully this was helpful. Or if you need clarification or something, or I should do a deep dive on one of these topics, let me know. And thanks for watching.