 And we are live alive and alive So much to do so little time Everyone was really busy days and everything Doesn't line up the way you hope to well That is certainly true for a video that I was actually uploading that will be published after the blog post There's some details that have to go on there um The Vlog Thursday 3 24 is done early today because tom has a lot to do later today and i've already been Yeah Already been working on just the uh, what do you call it? The 3cx thing that's not in my blog title But obviously first thing i'll mention i'll have a deeper dive in a video I do highly recommend you read the huntress blog post on it huntress did a good job of citing everybody involved in it uh That's a big mess right now and supply chain attacks are always some of the worst because they're so hard to defend against They're so hard to unravel and it takes a lot of cooperation a lot of investigative and i've actually Been impressed the security teams have really come together in a lot of different ways to Take this apart reverse engineer and everything else. So I think that's definitely um uh Definitely, you know a thing i'm getting pinged over here For this is what happens sometimes during my day when there's things going on I actually was talking to the people at huntress. So I was going to With that blog post i'm doing is a lot of details goes into it Let me just pull it up real quick because I think it's worth sharing here um Pull up the huntress post because if you're not familiar. Yes, there is a uh Big Incident with man, why can't I type today? I should learn how to spell There we go Now that i'm spelling things correctly it's helpful but i'll Be doing a deeper video that's already done. I just haven't published it yet That'll be posting on this as a topic and it's specifically going to be This attack, which is the Uh three cx supply chain attacks. So this i'll throw a link in the comments real quick so people can read through it together but it's definitely um In Greety x is just a big player in the market. So this being that they were attacked It's pretty big news. Uh, also how it was deciphered and how it's reverse engineered There's just a lot of collaboration going on and there's a lot to talk about so I did my video on it But my video I reiterated several times that this is like an initial starting point This is to get the awareness out there to tell people they need to take action if you have this installed I list and they have listed in here, of course, which desktop applications this affects There's two specific versions that we know now and if you're watching this in the future Don't leave a comment and say tom. Did you know there's like x yz more? Well, we don't know that yet We don't know if it's only limited to these two We're stating what we know So this is one of the things that makes security really hard Is the knowns and then the stuff we learn in the future. So it's An ongoing extremely active investigation. The good news is I don't know what's been compromised Not say that's good news But we don't see this like actively destroying systems and deploying ransomware or anything like that right now now In the disruptive future that is happening right now as major companies run through this Who knows what'll happen? But for now at least nothing nothing blew up So we were to start uh Yeah, it's one of the interesting side notes of this attack is the side The size of it one but two Uh, three cx actually allows like weight label reselling. So some other companies may be reselling three cx and branding it with their own So, yeah, that's just Big now three cx in my opinion did not get out ahead of this very well. So that's my opinion I'll left notes in that video and that's all I said is I don't think they got ahead of it but I didn't spend a lot of time speculating and I focused on the facts of everything we know to provide actionable intelligence to the community and Yes The um, that video will be published as soon as I'm done because I have so many things to do they I'm not going to keep this vlog going too long But I do want to talk about some projects comparing firewalls lab testing and errata Uh, but I like to get the questions out. I do have the ability for people to email me. Um, let me pull that up here Throw that down here at the bottom I started doing this so you have an easier way to contact me, uh, if you want to This is you know, just so I can read through it on the blog I don't reply to these emails by the way in case you're ever wondering. Um, I don't necessarily have time to But I do read through them and respond to people. Um Let me go through here and pull them up uh, only one question was, uh, sent in last week And they were asking about share permissions and I definitely am going to need to do an updated video on churnass scale and share permissions It's a constant confusion. Um, that people have and they're not that much different than churnass Core now the layout is different in terms of like the menus and I think I've done a video where I talked a little bit about that but, uh Permissions by the way, it's not actually I'm not going to blame churnass scale or core for permission questions as much as I think people have a harder time grasping permissions. This completely applies to windows and active directory and near Uh, how you assign permissions to different folders and shares. I see the same confusion over there I just don't do the as a topic and sometimes people's first Dive into shared permissions is with churnass because they maybe aren't an administrator of something like active directory. So Yeah, that's I'm working on some updated videos for it to try to do it My old videos are actually accurate still the menus may be a little bit different But you can apply my older video on how to do permissions and shares to still how the Works in churnass scale even though I did it with core maybe two years ago. Um, but keeping this library of videos is, uh, an ever ongoing Challenge I showed my workflow of how I get this done as fast as possible But as fast as possible still I have a lot of moving components on there and I'm always working at ways to be more efficient. So hopefully I'll get to that soon That's um somewhere in between. I actually do a lot of consulting. Um, if you guys didn't know I'm not just a video producer. I have a business. I have bunch of employees I have some interactions that I have to do to run the business as well Uh, I've actually delayed right now. I got some taxes. I have to file. I even got some accounting. I have to do There's yeah, my my day is rather Packed but that's how I'd want it. I choose to do this because this is what keeps me I'm never bored is the best way I can say it So because someone asked me if I would have chose a career differently or things like that. I'm like not really um Doing one specific task It would it may not as be as interesting as doing all the things I do at once Which by the way, um, not all at once just the many things I do me and uh jay from learning likes tv We hang out every Tuesday night into our tech talk. Uh, we always like to remind ourselves and uh, nobody's really actually good at multitasking You you set aside time you focused on one task until that task is complete So even though it may seem like you're round robbing through things and you think you're good at it the reality is uh highly focused doing Block hours of time to accomplish one task is a better methodology for completing it than trying to Complete many tasks at the same time. So just my thoughts on that So I can at least share them um The next part of that question was what services are you moving? to linoad from on premise um I don't know just yet what I'll move over to linoad That's kind of undecided most of the things um that I will host in the cloud in general Are going to be like websites and forums because those are better hosted in the cloud I don't know what I'll actually move there for right now when I can I like hosting things internally It's convenient, but of course if those things require and this is generally my process for it if something requires a lot of uh heavy public You know access. I don't really want to host it internally at my office for things so Yeah Let's see Did you not get the ht firmware for your brain hyper thread in Hyper threading firmware we'll go with that Make sure I cut up on all the questions. I did And the next thing we're going to pull up here. This is the controversial topic. I wanted to talk about today Turns out 3cx had their own controversy to talk about but this is the video I actually will probably do before I do the permissions video. Um This is going to cause some Uh People with opinions. There's already been people arguing with me on twitter about this a lot for whatever reason um I'll make it a little bigger, but I'll there's a link on my on twitter. I'll share a link here as well um Let me see how I can actually let's do this so I can File There we go copy Add it back in here Oh There we go And I'll this is a firewall comparison that I'm making um So this is going to be controversial. I say because uh, yeah We all know the udm pro is the best firewall right And this is I put in here some general categories This is also this is where people seem to be upset the most is I didn't cover their firewall I'm going to qualify this with at least I have some experience with these firewalls at some level or I talked to people like uh christian lempa from uh that this digital life that the digital life his youtube channel is great Me and christian talked about sofos. I'm going to be linking to his video on it So sofos is one that I know a lot of people ask me about so I figured it's worth noting in here because they have a free version for home users christian has a video on it I will reference his video and I'll at least leave this as a comparison because it actually does have a lot of things on there Um, this is not necessarily directed all at home lab or home users This is going to be maybe small businesses and things like that But then you're going to ask what about palo alto and some of those Well, here's the problem when you start getting into some of those little firewalls one I don't have a lot of experience with them But two if you were just to lay them side by side palo alto versus a fully loaded whatever the latest sysco is For example, you'd probably find they have a list that says they do the same things the nuance is always um The nuance is always going to fall into how they implement it and saying they support a feature versus how they implement it It's just a it is a really hard argument And also to say how good their support is once again a hard argument If you see some blog post from 2021 where someone complained about how bad their implementation of it was for some particular feature And then later they have a that implementation done well in 2023 You're not giving them a fair shake and it it becomes just not worth it because it's just a bunch of uh opinions floating around that is going to be a lot harder to do so This is going to be how I break these things down And how some of them work just to give people a general idea of all of it. So that's Yeah, as far as my thoughts on maraki. I think they're overpriced Um, and I but that's they do they have the features? Sure I mean maraki's got a lot of things on the yes side of things So, you know, can you run it on your own hardware? Of course not Um central management via their site licensing fees. I should put this in like a big bold. Yes Um, they do have a lot of these other features there And for example, like the bgp osp f you're probably not going to want to buy maraki for that They have that as a feature, but it's not the most advanced feature. Um, do they have st And yes, do they have open vpn? No because people may ask about that. Do they have content filtering? And this is one of those ones that's going to be Very subjective you could say you could make the argument that pf sense has content filtering I said yes, but complex because I wouldn't use it. I don't recommend using it at all And this is one of those things like this is implemented very different between each of these from a check the box They can do it versus Can they do it? Well, can they do it in a manageable way are very different answers And this is where you start going off the beaten path when it comes to firewall discussions of what they can do and what they can do Any reasonable manageable way and how do you define that because if you just start trying to check marketing check boxes Then you have a problem Where the marketing people said yes, it can do it and they don't engineer using it because oh god I would never use it for that. It's a terrible use case because it's so hard to manage So you can definitely see that's a chain problem there Uh, let's see. Yeah. Oh, this is um I'll answer this question because I think it's a fun It's got to be a fun because I this is the picture I used of as a thumbnail For this and we'll share just have instead Yes, there's a giant project that I'll do a video about and uh steve you've seen him on here before um The he's mentioning this is all a uh It's a full install of a network and it's kind of a mess. So steve has been setting this up Along with uh, eric, I think he's been on a channel before as well Internal technicians are setting this a big project up and as you can see there's a lot going on here There's a bunch of cameras and unify equipment and this is all going to be labeled boxed and sent and shipped To the client location and then installed So I'll be doing I want to do a couple of videos on pre-deployments of you know Some of our our internal term might be networking a box hitting a box of how we put all this together for people So yes Definitely that'll be a discussion now. Can I lock the top? Yeah, let's do that right now to make it easier um, I think you do that with Uh, you know, I don't spend enough time doing spreadsheets. That's probably a problem Where's freeze one row one row there we go. We got a froze. There you go. It is now frozen. So you can Uh, scroll up and down on it. I'll make sure this is prettied up Installed in air quotes Yeah, um, actually I do have My uh insta 360 camera, I do have some time lapse footage of this getting set up. So I yes um, I want to do more of that. So that that is something I have and uh Definitely, um, gonna be a topic of how all that gets put together. Oh, let's see But yeah, this is I want to do this video because a lot of people have questions I but by no means is this going to be exhaustive on there Especially this last part here traffic monitoring and reporting They're not all using the same way they do it and I put like yes with a couple of these And someone correct me if I'm wrong, but am I right to say that still they don't have good time slicing? or Accurate information when you're going through the usgs or the udms for how that works um It's been a confusing topic sometimes when I look at the way the dpi reports are inside of unify going I why can't I just have an accurate time slice time slice because knowing how much data was used or what sites they went to cool But I should know that over uh, very specific time Uh periods. So if you don't have time slicing You're just kind of giving me raw data. Now if you go over to end top and g You've got a whole video on it I probably need to do another one because there's a new version and that adds a few more features But end top and g gives me very detailed Information of exactly how the flows are going because it's using like flow data to understand each connection where it's going Net flow is you know being able to look at end top and g and really dive into it is very helpful um, so pf sense can do policy routing Uh via protocol or port number But not via application. Well, there's kind of a way to do it But once again, there's no easy way to implement this. So this is where you're splitting hairs I would say no, um, if you want to do application aware routing where you're doing layer seven to identify Applications to then go through and create a policy around them. No, can you use active directory objects? Easily in pf sense. No if that's one of your things that you have as a requirement. Um, I put that in there specifically Firewall policy based on active directory. So I'm not saying you can't have pf sense talk to active directory for user authentication That's different. So they do have ad integration But firewall policies based on there. So maybe I should say firewall rule and policy might be more accurate So we'll let's put this like firewall Based on active directory. That's a no That's not something i'm aware of you can do with pf sense where you can say Hey, when this user logs in authenticate them against active directory and make that understanding in there It's kind of an advanced use case now One of the things pf sense is popular for is having a reverse proxy in it. So it has ha proxy in there Uh, this is something that the other ones do not but oddly sofas actually comes with the web application firewall Which sometimes people conflate web application firewall with a reverse Proxy there are different things on while you can add rules to ha proxy. It's not the same as an actual web application firewall so You can see where i'm going to cover this But the nuance is going to be like, hey, you're gonna have to dive in there because some people start asking me like Well, what's the speed of each firewall? Well, that's a model dependent thing. So i'm going to leave some of that out and You know, but the biggest thing it comes down to is if you have a use case where you go I need this feature and you don't find that feature in my Personal favorite firewall pf sense then don't use it I'm not trying to sell anybody on it, which is what the twitter stuff turned into very quickly. Um people Uh You know really wanted to Think I was trying to sell them on i'm like i'm sharing my experiences with it I didn't tell you Not to use like open sense is what people want here. I'm like, I don't use it I don't really run into open sense in a while very often But that doesn't mean you shouldn't use it if it fits your use case and has All the boxes check that make you happy then you should definitely use the firewall that works best for you As a matter of fact, one of the things I encourage all the time to people is use firewalls that you're familiar with Because if you are using something you're unfamiliar with you are more likely to Have it misconfigured. So that's an important aspect as well Um 40 net has a reverse proxy. This is this is once again We're talking about the 40 and a firewall 40 and has an entire reverse proxy and web application firewall But it's a separate product. It's not an integrated it can integrate As part of their ecosystem But it's not in their firewall natively. So that's where i'm trying to draw a little bit of a line But you could say the same thing for some of the other companies At least sofos within sofo sexy firewall has a web application system 48 It's a separate product you can buy and it would integrate with your 40 net ecosystem But it's not Native to just the firewall. That's my understanding from everything I've read not a 48 reseller But I didn't talk to one and my understanding is you know, that seems accurate But if it isn't accurate and there's somewhere you can link to this awesome. So Counting json hacks as a unify feature. That's a whole another thing Just because you can do something by modifying json files. I'm going to um Definitely keep it in scope to firewall features that you use through the normal UI of the firewall Not something you have to go off script for um The big differences between open sense and pf sense they forked a long time ago. So the the difference gap is There it's not massive But they're different products now with different build teams They they do share that at the base level the two things that pf sense and open sense have in common is the fact they both run on bsd free bsd and they both are Open source projects that Use the packet pf packet filter. Okay now after that are they similar? Yeah But they chose they have very different layouts for menus. They have a different plugin architecture You can't transport the rules from one to the other. So there's no Direct line of doing it And I just don't want to take the time to learn it because I don't find any compelling feature that it offers That makes me want to switch over to it. So I'm just not including it. I don't think if you like it keep using it I prefer uh pf sense. They've been very solid They don't have as many frequent updates But I know that dives into the nuance is something I wasn't exactly sure how it worked But I guess if you buy a commercial version the licensed version of open sense They give you a different less frequent update path. I was told I don't really know much about it But this is also why I'm not including it because there's not a reason for me to include it Oh What is the reason for comparing firewalls just pure business interest or any other It's a question people ask constantly because I cover so many firewalls So people want to know about the firewalls and I could I almost limited to just pf sense usg and udm as the And maybe untangle because they're ones. I've actually dove into on the channel But I added a couple more just to just to go out there as outliers and you know, I'll link to christian Lempas video on sofos. He's covered for sofos. He's making some new videos on it Maybe by the time I make this video, he'll have a new firewall video Just diving into sofos because um These are probably the most frequently asked about ones on my channel like when people message me when people ask questions These are the firewalls that get the most questions on there About the firewall. It has some limited 40 uh limited 48 wireless access points, for example, if you if you can rdp your firewall, there's a special web interface Last time I looked. Yeah I'm a bios fan rick and would recommend it for I understand that it's probably not going to be talked about on the live stream Yeah, the problem with bios is It comes on to learning curves bios is popular in Very high-end markets and I'm not going to do a video on it because it's such a focus on those high-end markets Nothing wrong with those high-end markets But this is the challenge of doing a video like cool if I did a deep dive, which by the way I don't use bios all the time But if you do a deep dive into something technical like that you you're not going to get a ton of views Um, a lot of people won't want to take on the burden of learning a more complicated firewall that you drive from the command line I don't think it's a bad thing to learn this but it's more of a niche job skill than a regular one You know an example is a consulting call. I had with a college and They were so small college and I liked the it person. They were quite smart But one of the problems they realized is they backed themselves into a corner. They had built all the firewalls using Linux systems. They did not use any appliances. The person was actually quite Well versed in how to build firewalls. I was impressed. They did a very good job They had a good security on it They couldn't find any else to help them maintain it and the person was moving on to another job And they were trying to find someone to help manage a completely written from scratch system Now it was well maintained and he had ansible scripts to change things He had an ansible script to get changed firewall It all kinds of cool automation But handing that over to someone versus handing someone an web interface type firewall They're different skill sets and part of the problem was he got a job offer that was going to pay substantially more and The college budget for that job was this and that budget was really small for someone who has the level of skill Needed to do that which is why he left is because he got a job offer that was substantially more Than what he was getting paid. I completely understand why he left But now you're leaving people in a lurch going now what I can't find anyone That the the competency that in the compensation you may get for having this high level of skill to be able to manage this Means that job becomes a little harder. So yeah Yeah, go ahead and pop in steve I'll send you the link I'm sending it over signal right now There we go Yeah, vioce does not have a gooey yet. So I want to see the edit of he said let's encrypt support as well Um, I do have the let's encrypt support listed as yes But it's only for the firewall unless that changed when I really I did take a look into documentation for let's encrypt and Correct me if I'm wrong, but it's for it's only for the firewall um What feature are you missing the most on pf sense? Um remote management from Yeah, the central management. We've built our well, I'm gonna not gonna say we we're gonna say steve built I did what I could Well, steve built a reverse vpn. So we have uh client ones going on there Central management is a double-edged sword and I don't like the way some people have done it I like the way we've done it. I think it can be expanded and maybe we'll look at maybe taking the time to write something For this but the problem to remote management Some people had suggested because there's a third party company that offers remote management for pf sense They do it via ssh keys The problem I have did you notice at the beginning of this video where I talked about a supply chain attack with 3cx and they use it to deliver everything Yeah, if that one person the one vendor gets compromised and all the pf senses are attached to it with full ssh access so they can remotely manage them without putting passwords in Now you can deploy rapidly to all the end points on there. That's scary and not a Um ideal situation the way we do it is more sane in my opinion where it reverse proxies and connects But that just gets us to the web interface We still have to actually use a username and password to log in the pf sense Well, and that's where I wish pf sense would have a solution like a centralized dashboard Similar to that of the um untangle. Yeah where it then just gets me to that login page. So then I have my account login That gets me my list Then from there take me to that login page where I then have another login Yeah um Open wrt is probably a great consumer product, but uh, I I don't I wouldn't recommend it It's not going to make the list here. It's a neat consumer project to reflash things with I I stayed away from some of the consumer ones out there. Um We need to do a video about how I set up that. Yeah, we get that question a lot Yep, uh, do you think it's a good idea to uh to do ss offload and pf sense and hd proxy and have ideas looking at exit point in a target server uh for Yeah, it's it's yeah, I mean you it's kind of handy Um, you can have it if you have something that you need a reverse proxy to you You can have it doing ids, but generally if you're The more common use case for hd proxy is not for external things But it's so you can have internal services and have auto renewing ssl search So you can let's say true nas for an example But you may have a handful of things internal to your network that you want to Host internally and not have to deal with setting up or dealing with you know security warnings That's the common use for hd proxy not for external. It can be used for external But also for internal. But yeah, you can actually turn on ids uh on it as well Talk more about that remote management Mm-hmm. Mm-hmm I have a meeting with our canadian friend He wants to know how I did it because he wants to set a bunch of them up Yeah yeah, so We'd have to do a diagram to really say how he did it To make it clear to people but essentially you put a open vpn client config on each one of the Clients that we have so that open vpn then dials back to us And authenticates and then has a port bound to it truly not that simple that I described that accurately steve Yeah, so basically Everybody gets the same client config to talk back to us, but they have no rules that let traffic or anything come back yes, and then We set up port forward rules So what happens is we hit our internal pf sense on different ports And then that redirects to the corresponding pf sense and you set each user up with a override So, you know this client is this user this user gets this ip Now a couple funny things we'll point out here one we called it project tunnel bear steve did thanks linus so for inspiration on there Two you'll notice that this only has one internal ip address We keep this very locked down and restricted so it comes in and hits this But it's all tied to only one ip because it's all you need to manage this So yeah, there's no lan interface on it. It's wan only And in pf sense if you don't have a lan it adds the anti lockout rules to the wan Yeah, so it's just a really simple system picture everything coming in We have a Net rule to pass through our public firewall only to this and then this is in its own sandbox That way if there's ever an upstream compromise that tried to traverse across here It can't spider out to any of the other systems That's the important part of the way these rules work on here And that's the that's the part we'll highlight of how we did this. Yeah, that was the complex part That's the complex part is making sure all the rules So this this doesn't become a central point by which you can do anything other than hit Webinar the the management web interfaces and that's it Yes Yes pf sense and that's in my list here pf sense does have High availability I put that matter of fact that's one of the things I have I think right at the top here Yeah, high availability is on this line here But that's a yes and a yes and Cody can tell me if it's how close it is to beta I know at some point in time unified it's supposed to get high availability But you know, we're mostly concerned about their availability so They have a shortage on udm's Um, I don't know. I think it's just a shortage on everything else. Yeah Uh, essentially I use a wire guard where each client's pf sense is a peer and a central wire guard server is able to route to them Yeah, that's another way you could do it same premise me and Eric We're actually talking about do we move to wire guard? The only downside is the packages Open vpn is built in versus now we got to make sure that this package is there up today and working Yeah, I see Cody's got an honest answer here. Oh god. Who knows about ha? It's tied to the pdu which I don't understand either. So I hated that thing Yeah Um, do you have no concern about having internet vlands and lands of vlands on the same x community house? No, it's not public facing. It's a pinhole that goes into an isolated network that has its own rules So it's its own vlan with a lot of rules around it So no Well, no rules around it. Well, yeah, no rules because it's not allowed to go anywhere. So yeah Encryption capacity we have the capacity to encrypt. I don't know what that word means I think he means like highest level of encryption. It can effectively run which I mean like PfSense you could throw high high level of encryption at it if you have the hardware for it Oh, I see people saying for example, muraki doesn't support aes 128 or 256 gcm Huh? Yeah, it also on its normal vpn does a route all unless you write specialty scripts to tell it not to I mean Yeah Um, how do you let your customers employees access their own network resources? a VPN If they have to vpn is generally I thought he meant as in like logging in and managing things. I'm like now Yeah, no generally I do avoid we try to avoid We hold on to the keys. We have a couple clients who have logins and uh It's I like charging them to fix it, but I hate the emergency calls when they touch something Yeah Um, I'm gonna This is gonna go for about in 10 minutes because I have a few things I have to do But I want to share something that's going to make steve laugh Uh, and I'll get the opinion of people so you can see it before it happens Is this thumbnail too much? Ah I I was like, you know, should I put my face in it or they attributed this right away to north korea like they're like This is these guys know that they did it Um, interestingly they cited that so in the in the crowds take right up. They're very much blaming Uh north korea because the they use exactly the same encryption keys There's a there's a ton of tells in there that basically say it's north korea And which is weird because normally you don't get attribution this early But they crowd strike from the very first announcement yesterday said those people did it and I thought well I think it makes a good thumbnail I mean, I don't say who did it. I just cite the crowd strikes said who did it. So I'm yeah I just I couldn't resist the thumbnail Uh, let me laugh If nothing else I can Everybody knows north korea is best korea Yeah I knew you would at least get a little chuckle out of it a few people I shared it with got a chuckle out of it. So I think I think that's what I'm gonna stay with for the uh thumbnail on on the 3cx video Out of topic a little bit uh, you know, that's that's pretty end topic. Um, when As long as you didn't forget the old switch and it's still in the controller You can go into the settings and pull the configs to the new one from the old one But there's a caveat. It has to be exactly the same switch. Yes and Unify on some of their newer 24. I think it was the 24 ports. I was working on They changed the product number the name it shows up as in unify So now you could have literally two of the exact same 24 port switch from unify But they show up as a the newer version show up as a different name In the controller so you can't move the settings to those ones Yeah, I was trying to see if I can uh, I wish I could remember who I was doing that for and I ran into that I don't think we have two of this. I don't have a should say in mine No, we don't have one. I think it was the uh network in a box Job I just did I was pulling all the old configs and his I think the 24 port pros lined up But the 24 port poe didn't Yeah, the um, we don't have two of the same ones on our lab either Nope each one's a different model Well, they were but when we split them to be lab, I can't yeah But what's your what you want to do to make this work? Did you put both uh aggregation switches in the no because one's in the lab and one's in there Okay, let's let's walk through the scenario really quick because it's actually it's not the Option still there now there is a complaint because unify's wording is not clear The one you are selecting Is the one you are pulling a config? From from Yes, and it doesn't tell you that until you click on it and that is a complaint because people get confused Am I copying to or from and then when you click on it, it tells you you're copying from Yeah, so enter device configuration here Apply the copied configuration from one device to another And maybe they can add some wording to make that more clear But essentially that's what steve's saying here is the way it works Let's say this one pick any one of these if you say this died, right? So if the lab aggravation rack dies, uh, that switch dies We leave do not unadopt you leave that one in there you adopt another replacement switch Then you copy the exact same type of the exact same type by the way and hope it's the same name Yeah, yeah, yeah Yeah So that's uh, it's one of the yeah the the fact that they change product names. I don't know why But yes, that's the that's the process for that. So yes, it can be done. No, it's not off topic So many things Yeah Actually, what do you guys get plugged into this if we show all the clients? Not much. Oh, I actually I powered off because the the radiation coming from the The office was high. So we actually I powered it all off We were worried there wasn't gonna be enough power on those switches Yeah, when do you use pf sense and when do you use udm pro? We use pf sense. That's that's always the answer um Rows are great for Home users it home users or if it's a small office where you want that extra stuff like if you're In a shared office space in a building and you want unified protect for your door access and it's like a small Six person office. You're not using the vpn or anything. Go ahead put it in It's great for that. You can throw a couple cameras on it. Boom. You just covered your little 10 person office. No problem Ha ha ha ha You want to see something really funny? This is off topic. So yes, but it's it's on the first topic. I shared um Man, I did too late already did the video. I'm not redoing it This was sent to me by the threes. I got the change screen sharing All right, this was sent to me by three cxco Nicola after asking for a post instant report and whether or not they had engaged Security consultants the ceo responded. Thanks for your support in a difficult time. Please find another product and leave us to fixing this matter His his responses It's like someone dude Like they gave the guy a shovel and like go dig a grave, man. Here's his shovel. Here's a social media account Go, what about legal department? Ah, we'll deal with it in post. They've let the ceo talk He's not said the nicest things Apparently, he's not a good person. I I didn't know this. I've just seen the commentary on reddit of the ceo the company not being the most wonderful human and He's living up to you know, I see it as comments. I see it in reality now him telling people Uh Let's see obviously the dude needs to go I could take I could take a lot for the ceo. This is Is petty in crisis the final straw Yeah Oh, man, dude owns a controlling stake in the company. He's going nowhere Yeah, this is not going to help the reputation. They did not get out ahead of this at all three cx was like in full denial mode but Yeah, the that's Have you seen performances you unify light eight switches the test replaced an ng 100 100 switch Uh, like long connection actually reports 100 megabits. Uh light made it worse how long is the um Run so what could be happening is if you replace an old 10 100 It could only negotiate 100 and if the runs too long, that's fine But when you put the unify in which is now gigabit, they both start trying to negotiate gigabit But the runs too long and then it starts just Um crapping out on itself. So you could try setting the negotiation on that port to 100 and it may fix it Yeah, travis had that problem Yeah, there's when you start having edge cases of wiring problems and things like that That's a harder thing to even test For the most part if you're using good inspect cable without any noise on it Even your cheapest switches perform at the specified spec that they claim You know, you can go buy a non-managed Pick an insert name of cheap switch. Uh, if it's labeled gigabit It will probably around gigabit without a problem without any difference because i've had In early days of the channel when I did more switch reviews I feel like a lot of people dumb Why didn't you do a speed test with eye perf on the switch and i'm like it's It's a switch. It's a switch. They they do switching I've I haven't maybe there's some that exist but for the most part even the cheap ones do gigabit without even a thought That's like because they're not doing anything to the they're not applying any rules or whatever It's a pretty well established standard on there But when you start having edge cases how switches handle edge cases I don't know the consistency along that so well and that like I said that could just be a problem He said it's a long run. It's possible that it's Uh, like travis just said He had a 500 foot run that at gigabit would start dropping because it was just too long Uh, so when he set the port to hunter mag It worked fine. Yep, because you're running over cat 6 which is meant for Um gigabit at you know 100 meters But if you go further it can go further, but you're not going to necessarily get gigabit We had that one run, uh that delivered. What was it poe? and 100 meg at like 6 700 feet with some game changer cable the game changer cable That's an option those uh microtik extenders are awesome. Yes. I reviewed those those are great Um, I had you know, I I didn't do the follow-up video and I actually took it apart But maybe I'll do the follow-up. I think it was probably for six or seven months I had had one in in a big bundle of cable. You remember it was just sitting in the studio area With one plugged in I put a big coil of cable so it was going extra distance And I put a poe camera on the other end of it. I wanted to see if it melt and it didn't um This question here This is a fuzzy one so to speak because people conflate what mfa is If you're using open vpn there is certificate And if you have a user certificate, you actually have two certificates And then you have a username and password or those are three factors of authentication They need the outer certificate the inner certificate So speak if you will the user certificate and the username and password So those are different factors of authentication now if you're asking specifically about rolling Like totp a non static form I don't know when they're going to get proper support for this and I say proper Within the facilities of open vpn that piece of information can be sent But that is currently not and I have a request with pfSense to uh add that Oddly untangle has that where instead of sending it you can combine them with radius You can put the username in and then the password is a password plus your totp There's a way to do this to radius. I have a I believe I have video on that as a topic But it's not the same as actually putting it where it goes. Um, so Yeah When you do it you switch from using a password to a pin Plus your totp, right and the other caveat is because open vpn in pfSense by default Rechecks your password every two hours. Yep, you get logged out in two hours, right? Like clockwork Right So that's it's one of those, um Confusing things about how they did it But I will point out untangle Uh, they're using and passing through that extra parameter on there It's it's a built-in facility to the latest version of open vpn But pfSense currently, uh, just doesn't expose it. I don't know why so I do have a request with them that they should consider adding it Yes, I I don't know where that's at But if you are trying to check the box of two factor authentication Then yes, those certificates are a factor of authentication Because if I gave you my username and password and ip address for where I log in from vpn That would not get you in unless you also had the accompanying certificates to go with it So you have to get those certificates. Hence their factor Uh, there's no user management for usability. Yeah usability where it's awesome for To site wire guards a protocol. This is one of those dumb things. Um, I think I did a video kind of complaining In early days of wire guard And I said why not to use wire guard and part of the problem is people get so overhyped about it Where they're like, but tom it has so many less lines of code than open vpn Therefore it must be easier to audit more secure. I'm like it's missing things Saying it has less lines of code becomes an irrelevant statement because It's not doing all the things that open vpn can do. It's very singular task It has no user facility in it. So that's expected to be third party So the transport layer. Yay, cool We can really dive in and audit that but without those extra functionalities And you know, those companies have built extra on top of it. For example, tail scale uses wire guard as a transport layer On the bottom, but their front end being tail scale allows for that facility to be managed Yeah, we get a lot of people asking. Hey, I want to switch over to wire guard and Can all my users use wire guard? We show them the setup process. They're like, I got to do this every time You sure do. Yeah, how do I like revoke it? Not as easy Not as easy and you're recently throwing in descriptions to label who each wire guard is There's tools out there that manage it. Uh another one I haven't used it, but I know people have talked asked me about it a couple times is called net maker And that's one of the things it does is it uses wire guard as a back end And net maker will help you manage it You find it Uh What's their website? netmaker.org Funny their docs page comes up before their website when I search net maker but It's netmaker.io. That's why Anyways, netmaker.io if anyone wants to play with it. It's just another way to do it But it's once again, it's not like just throwing it in or and no, I don't know how this would even integrate with pf sense It's something a little bit different. So um None the last all right, uh Oh, I want to answer this question entropy isn't what it used to be That my favorite joke about entropy. I don't understand what you're asking. Have I figured out entropy? You can ever figure it out because entropy isn't what it used to be Uh What else do we have I'll give it three more minutes of questions here because I got to publish this video and then go Do a few things So you can talk about the 3cx stuff Um VPN protocols horses for courses rather than one size fits all yes It's all about which horse you want to use mm-hmm and then there's a complicated topic when you talk about firewalls because um Like if you were to have sysco on here, or you know, I will technically do because I got muraki muraki, I believe uses any connect for the vpn It's not like they're using they have ip sec, but they do have other vpn tools. Yeah That are not Compatible with open vpn at all. There's something and I believe by default it is a full tunnel You have to work to make it not full tunnel. Yeah Entry b g entropy jokes just fall apart. Yes, they do Uh Yeah, the firewall video will be a spicy one for sure people love to argue about it I do tail scale on here Which is a nod to pf sense because I know it's it's one of those categories It only pf sense clicks the yes box in but tail scale is becoming extremely popular. So My videos on it have suddenly gotten more views and also um A lot more people ask me for updated videos on it. So I don't know what tail scales change I think just doing a marketing campaign which drives people to start looking for uh, tail scale more But it's an easy to use in popular solutions. So You know, I've seen this um It's once again, you know stupid laws dumb people trying to push stupid laws on us I just Watch the uh Senate hearings on tick tock and you realize this is going to go nowhere. They they have no idea how any of this works They don't yeah, it's a giant disaster. Uh, it goes off talk about channel. But yes, it's once again Those in charge trying to reduce the level of security that we have because they think that's the solution to things because they always do Terrible legislature no shock uh Shocking no other emails And I got plenty of emails, which is not from uh vlog. There's eight people So we will we will wind this down so I can publish my photo I got I did get a dm from a friend apparently he noticed that I shared it his suggestion was Uh kim jong talking to the ceo of 3cx And i'm like it's funny is that would be I don't got time to draw that um Perhaps uh man user management tail scale on a pf sense with subnet router could be an option to make sense for the roads Yeah, uh, I've suggested to a couple of people and they were surprised how easy tail scale was to set up Um, it's a solid solution for that matter of fact One of the reasons I love its integration at pf sense is obviously you have to Install the tail scale client to be able to talk to things But what if you have printers you want to talk to and things like that that you can't load tail scale There's ways you can actually tunnel traffic from an end point and laterally move over to something or Even better You load it on pf sense and everything on that particular network has access and then your road warriors have access via the tail scale network uh to have the vpn now people bring this up sometimes and it's um Really important to think about Because people say what happens if that endpoint goes rogue man something happens. It's connected I'm like well the same problem happens with the vpn It's they I've had people thinking like tail scale shouldn't expect the traffic and I'm like, no not not their problem You should have end point security doing that because a user that's on your vpn that turns malicious You have exactly the same threat model now. Maybe it's not an always-on vpn So they'd have to log in and maybe you're forcing password from the log in But lots of people either vpn logged in so the threat model is kind of the same And if they're using the computer or have some backdoor on it They're going to activate that while it's connected via vpn And yeah, so it's really not a tail scale problem But tail scale is a is a neat solution and its integration of pf sense is uh pretty cool solves solves problems for people Yes, it is. Yep The morty one's right next to it Well, that's right Yeah, I watched them Oh good. I brought them home. I threw them in the washer. They're cleaned up I just haven't put them up anywhere that was sitting on the bar back there I've been working on cleaning before I leave for florida Look someone wants a unicorn steve Oh, yes, we love the five hundred dollar to a thousand dollar system that can do 10 gig i d i d s i p s Sure sounds fine. I mean it's Technically it was pf sense And custom hardware you could probably get a rise in system that would uh, maybe Do that But how good is that traffic inspection and in reality is really good Ids ips is going to be full ssl decryption because the firewall is blind to most of the stuff because it's encrypted And if you start decrypting it now you created a huge workload on there So it's it's a lot to think about All right, well, I'm going to bounce I'm going to go do a few things and uh, I will chat with everybody later I'm gonna get this video published. I'm gonna go back to getting ready to leave Oh, that's right. Yeah, so we all got places to go today No, I mean like well that too, but I mean for all florida Oh, that's right. I'm getting all my stuff together steve becomes florida man. Yeah, I believe at 4 a.m Oh, that's a 4 a.m. Tomorrow 4 a.m. Tomorrow and then driving so by this time tomorrow. I'll probably be like kentucky Oh, okay. I didn't know you're driving. Yeah, uh with all the uh, you know, they're turning flights around canceling flights and I dude, I avoid airports. I'm just saying that I don't like I the last thing I want is to get to the airport then find out. Oh, we cancelled your flight and you're gonna sit for four hours I have no fear of flying I am just greatly aggravated by inefficiency and stupidity and there is a plethora of it That you will find you know the the best airport is detroit. They don't screw around they get you on that plane Yeah It's leaving florida If you're in the disney, it's like especially in the orlando area. It is it is a mess like you stand in line They it's one of those things like they tell you be there like an hour early detroit They're just like go go go you're sitting there and then when they call you up Hey, if you're section one two three get up here go they're getting you on a plane getting you out of here They're not playing around. Um, but orlando We stood in line. We stood just standing there in line Before the tsa the line got so long. They started skipping the scanners and just having the bomb sniffing dog go up and down the rows Yeah it's You know though, I still love um Is it ron white when he was talking about the planes. He's got that one joke He's someone says one of the engines went out. How far do you think he'll get us? He's like all the way to the scene of the crash, man. Yep This is interesting because uh I ordered a bunch of stuff And then because I heard people saying they were having problems I ordered stuff and it came someone told me it took two weeks. Someone told me it took a week Mine took um about a week to get so I don't really know if 50 days ago. I would kind of take your credit card company um, we don't do the fulfillment the swag store people do so Yeah Oh, we see. Oh, are you aware partial reflection of the monitors in front of you? Yes. I am Uh, do you have coated lenses and what focal length you have? I have no idea I just know there's a reflection when I do this and I got I don't know. I think that's a consequence of um putting glass in front of your face But but it does make me What's that you don't want to get contacts and touch your eyeball. No no contacts horrify me So Uh add-ons of pf sense. I've covered them. I use the add-ons in look at my patching The patching one is probably my favorite patching and pf blocker and open vpn client export I'll do a new one new video soon about my favorite tools for pf sense because those are always fun to talk about Oh, yeah, Travis worth contacts. Does he I didn't know that. Yeah I actually like glasses. I'm not bothered by these in any way I actually I'm I'm enjoying how it's it's crazy. How's your things look was that how clear things look? Well, yeah, I didn't know how hard I was looking at things. Um until I put these on and I'm like, oh, it just You know, maybe I didn't need to buy a new laptop But I did I went over on my laptop and it helped I was that's just way more turns out glasses cost less than my laptop Yeah, but I have an old lead screen on my laptop. So there's that I was supposed to wear them years ago But the problem was they made um everything smaller and then with my peripheral vision I'd get busy because everything here is big everything here is small and I'm like, I don't like this Yeah Yep, all right All right, man Thanks everyone for joining and uh hit us up in the forums easy place to find and contact me if you have questions I see people deeming me on twitter. I always I just got a dm on twitter and I don't even make sense of it like I've been tweeting since 38 minutes after the notice was released about 3cx because I was in the huntress insiders So as soon as everything became public I started tweeting about it yesterday, right? Someone just goes hey dumb. Do you notice that the there's a 3cx thing going on? You might want to do a video about it just like I don't know why people send me things without at least looking at what i'm already tweeting like you're DMing me But you didn't look at what I already tweeted and I've tweeted like a lot about it Because I've been sharing a lot of the other security researchers findings I one of the reasons I do that is if I tweet everything I can then just go through and look what I tweeted to compile all the list of links So I do it to share knowledge. I do it because it's faster than bookmarking everything I'll just like retweet retweet retweet retweet and then someone DMs me. Hey tom. Did you see this? Did you see my twitter? All right, enough me ranting about stuff later everyone have fun and I'll catch you later, Steve