 Almost on time. I think I'm only two minutes late It was a good reason I had good excuse for being late I was busy dealing with security issues and following up with fun things. So welcome to vlog Thursday 338 firewalls securing home labs tech talk and live Q&A I actually have no questions that people emailed into vlog Thursday at Lawrence systems calm and I wanted to talk first about Firewalls and something that I'm actually actively working on I have not had a time to finish I have like all these videos started but not time to finish them because that happened I have my PSN sp2.7 video which will start with the notes I have on some of these things because I'll figure I'll talk about them here in the live stream As always the same thing I say all the time. Hey, I'm trying to make this more concise and That is a challenge for me because put me on a live stream. Apparently I ramble a lot Per the comments that people give me but that's why it's a live stream and Generically marked like Q&A. This is not how I do my tutorials. So Always if people leave only questions, I will get more concise But the first thing I want to point out is the PF sense has been released and I've been running it and still today No problem. So that video is An eventful if you will so let me share that screen real quick. I talked about it last week but I have updated more systems to it and the Latest version in PF sense works great. No problems. Nothing exploded. Nothing melted down while I was doing this So it just works, which is what you kind of want to hear But one of the things that I realized is a lot of confusion and necky could clear this up really easily with this one simple trick You know, isn't that what everybody says? That's how you get people to click on things It's the differences in PF sense plus versus PF sense CE in July of 2023 and hey, why not since the video is not released? This is the one I have to edit. I did record this just not edit it yet And well, I might have to change something if something's wrong, but I made a comparison chart Let me throw that comparison chart down below. It's already public. It's on my forums already and These green checkboxes that I put towards the bottom represent everything that's the same And I just kind of did some broad strokes about features of PF sense Plus versus PF sense CE and these red Boxes these little red X's represent the few things that are different in the two of them And that's where there's a lot of confusion that people have around this and it's figures It's a good starting point to get things going on this because There is that just a high number of people that Assume PF sense plus costs money and now it costs money to build software So that's not the philosophical does it cost money, but does it cost money for you to run it? Will it extract money doesn't require extracting money from you to register for it and that's where it is free for home It's free for the lab, which means it's free for the home lab and no it doesn't cost anything to run PF sense plus there's a lot of Confusion around that as I stated so I've made this little simple comparison chart because hey Why not run the plus version of it because it has a few extra things like boot environments and to me That's a big plus for running PF sense plus, you know, we'll go with that but nonetheless the PF sense plus version, you know, some people are open source purists But for those people and this is where I don't know exactly where to go I try to be concise in my tutorials, but hey, I can freeform it here is I get it that I in I'm a big open source advocate and you leave it up to me I'd like to say everything be open source But I'm also not a project maintainer of a major firewall software. So this is not my decision to make it's just my decision to Suggest to the community and in those that may be listening that we should just have everything open source and I can just state those things from my comfy chair and Doing a YouTube channel But nonetheless, I know there are reasons that they have for building those couple extra Locked-down features if you will in PF sense plus But ultimately one thing that you have to think about very Concisely when it comes to any open source project is who maintains that project Who is the arbiter of what code goes in what code doesn't and who takes the time to build and Compile the binaries because you're not grabbing the source and building PF sense You're getting a pre-compiled binary and do you trust the people doing that binary and in both cases Whether you're going with PF sense CE or PF sense plus you are saying I'm okay with neckate being the binary producer Of it that's something you just have to take into consideration with this or any other project of open source so it's really It's kind of those little fine lines But it's a more of planting that idea in people's heads so they understand and think about it concisely from that Something I'm also going to try to do here when you pull up my blog Thursday notes is I'm gonna do time stamps when Tom if he can remember I'm gonna look at how long I'm in and how long I talked about things. So we're gonna put number one we talked about At the oh oh colon oh oh mark PF sense firewalls When I change subjects or answer questions, I'll try to type the notes in there I had some people do it But it's hard to find if someone's really gonna be dedicated to always wanting to make notes on my vlogs I I'm gonna hire someone eventually for it So reach out to me if you would like to be the note maintainer for vlog Thursday If you have the time to deal with Tom's schedule or even if not you can do it in post you can watch this later 2x so you can get through it in half the time and Make some notes of things and I'll add them to the descriptors so people have time stamps on there So that's that's the version of Tom. That's an AI job Yeah, I know there's a couple tools out there and maybe I got to look into I know I've seen some of them, but I've seen some of them that just are messy But I know there's some video summarizers and if you know a good one by the way If you know a good video summarizer that would be able to do this and you want to send it to vlog Thursday at Lord systems com I would love to I don't mind if it's I'm not looking for free I don't mind a good paid service that will summarize videos I'm all for it in the future pretty soon the Vinci resolve eggs actually got some cool features coming up that are in That's the software use for video editing that's gonna allow me to do that and I think that's a cool feature too So that's on the to-do list for it eventually resolved is to have it's in their beta right now for have good organization of Like all the different time stamps and so yeah Someone willing to time stands. Yes. Yeah, I it's I'm gonna up my game a little bit Because if you didn't or it seems like a lot of people did but if you didn't know I just merged my company with CNW are so that's going really well. We Finalized it July 1st was the actual day finalizing agreements And then we're meshing together the companies and me and Jason are gonna do some business talk videos By the way, there's already been one video released on the business technicality channel that you can find linked down below Where you just go that channel and we talk about the whole You know merger process well It's at least one video on there now in the future There will be more videos talking about the merger process because there's there's still more details and things we need to merge It's been kind of fun Can you run? PF cents on a raspberry pi 4 and the answer that is no It is that's not an option. There's not an arm build publicly available There are specialized arm builds for neck eight devices But it's not a generic arm build that you can use on a raspberry pi. So the answer to that is no Can you speak briefly on the features missing in CE? well, if you scroll up just a little bit you will find my forum post and this is available in my forums under firewalls and this is where I'm pulling this from is forums.laurancesystems.com and The features missing are gonna be From CE but you get in plus. So the check marks here represent something in plus and the X's are not in CE Boot environments QAT crypto open VPN data channel offload, which is in beta right now open VPN client import AWS VPN wizard IPsec Apple profile Export IPsec export Windows PowerShell and that's it. Those are the only ones I'm aware of if there's any I missed Let me know. I don't know why neck eight doesn't have a chart like this But when a chart needs to exist, I make a chart. So I made the chart And once again, here's some of the confusion Dan just to let you know Since when was P of sense free for homelab? It always has been there's never been a time It wasn't free. That's where I don't know where the misinformation come from I don't ever I did a video in February of 2022 where I talk about it being free So I have a new video. I'll be releasing tomorrow or tonight depending on how motivated I am That once again stating it's free. I but I mean I'm making a more concise short video where hey, it's free guys and here's the comparison chart and just making it as simple as possible and It's just one of those, you know things I want to make sure is very clear What is your biggest pet peeve that neck eight refuses to address? uh That's a hard one And I say that's a hard one because there's not anything that particularly bothers me every day about it I don't look at it and go. Oh, I so wish it had this I mean, I want a dashboard, but they're I know that's that's on there. We want to address it list That's just not on there. We have addressed it yet list Uh, but that being said there is at least one thing that I think is silly and I'm going to log in to my pf sense 2.7 c e And I think this is silly why tell me why Reboot and halt, you know, if I want to stop this or reboot this, why is it under a diagnostic option? Rather than system there you go. I've I've now given you something that we can all um agree on that I think I don't know and it's just a minor complaint I think that the if I want to reboot a system I look under system not under diagnostic, but someone could say you never really need to reboot firewalls That's kind of a diagnostic procedure to reboot the firewall And I I wouldn't say you're wrong because we reboot things for diagnostic reasons. So yes I can go with that pf blocker versus quad 9 or can you use both? um I don't really use pf blocker as much anymore but It's It kind of depends you can use both. Yes You can set so I believe you can use both where you would have your forwarders set up on there And it should work with pf blocker on there I just don't use pf blocker as much because I run into Well, I use it for sink holding things. I don't use it for the ad blocking portion So I should be very specific about what I am or am not using it for Um, but both are good services Uh Don't move it. I'm used to it. Oh, yeah, don't move it because I'm used to it There's there's a good reason to keep it. We all know where it is and we're we are just, uh So deep into it. We would get lost but you could always put it in both It's new users who are confused old users are like it's in diagnostics and you're like why I don't know I just know that it is I feel like there's some forum posts that maybe explain it better It's been years since I've complained about that. I mean like a lot of years But you were asking the pf nonsense menu there. We yeah, we can go with that But yeah pretty, uh I just don't have a lot of complaints, which I guess is a good thing, right that we don't we don't have a ton of complaints about this That there's not like all kinds of things to rip on It's some pretty basic stuff But hey, you know, at least we have something to complain about because what would we be if technicians didn't complain about things It means, you know, everything's just perfect and we can just keep developing software and going further and forward. So Um, one of the other topics I want to talk about here and I'm going to move along So I don't know how long I'll keep the live stream going because hey, I got a lot of stuff going on today but the Um Let's see. I have so we keep on a pet pet peeves because I'm going to keep the psense firewall talk going on this I asked the pet peeves of the dns. She's all were forwarder pages. They work perfectly fine But not fun adding internal dns name refreshers to the wind to the window And sends to the top Oh, you're talking about like if I went and added a dns entry here And if I add something It's you don't want it to send to the top like that Okay So that's yeah, I guess it does send you to the top. I don't know that that part hasn't really That seems pretty minor Have you heard about dine if I the fork of open sense in a dine if I sensor manager that can manage pf sense I don't know that I trust it. So dine if I is I'm aware of it they just took open sense and There was a forum post I had seen before in the open sense forums because I seen people discussing it it was linked I think off of reddit and Dine if I just kind of took and copied the code and built it But I I don't know enough about dine if I to say do I trust them? This is the problem I have with any dashboard Do you trust that dashboard to be a good project maintainer to give it access to your systems? I don't know one way or another if they're good people to trust or not all they did was fork some of the code and Pull it up here because They're a You're a cyber security company. Let me share this tab your cyber security becomes dynamic dynamic with dine if I uh open source firewall centralized manager compatible pf sense open sense wide range of customizer firewalls the dine if I firewall I think it's weird that they just seem to Did they even mention? Like what did they do besides fork it did they? Pro support training integration resources forums documentation Is their firewall well, I don't read french and uh, or does it have english? Okay There we go awesome So how much different is it? I don't know but would they do different in Compared to open sense. How are they maintaining the code? How do they import the source tree from open sense in here? How are they maintaining security patches for it? These are questions I ask Before I will choose to take the device that separates the outside world and my inside Network from each other. I care a lot about that device This is one of the things and why I've put a lot of trust in netgate net date has proved to have a good security track record To say this is the dividing line and we are very careful What goes into these boxes the pf sense firewalls to keep things where they should be Companies that have done a bad job about this 40 gate. I've ranted recently about 40 gate and they're constantly in the news We I have another thread over here in slack with some friends that work in security We were talking about how many 48 firewalls are being popped constantly. It is a constant circle of problems and Yes, this is why um, I'm careful before I choose that Very important device that separates the inside and the outside. So Just something to consider. I don't know much about the company. Um, I would have to read up on it I don't know how they do things differently. You and us careers Brands and copyright They're a registered company They have anything about how they do their security auditing Like that's just a question You know, what if we want to submit a bug? Where is Do they have bug reporting? I'm not going to spend all day looking at this, but uh legal our partners What does legal say information dine if I? sass on prem general terms conditions Not no someone wants to email me because they know this information Uh and save me the trouble blog. There's the alorn systems.com I I wouldn't mind hearing if if if someone knows a lot about the product Hey, it would be pretty cool to learn about it and uh have a better understanding of it So if you are someone knowledgeable on this as a topic then absolutely I'm all ears until then, um Making notes to say where this is in the blog I'll see how long I can keep doing this No security equals no way in deployment P. M. Sense has got a long track record of being on top of security things over the years. So Yeah That's the You know, I kind of you have this long standing trust, you know, the you've seen the team there address security issues They've got a track record of doing it. Um, this is something I Really implicitly have people think about especially as someone who deals with security incidents I see I live in this real world of stuff gets attacked and I have to deal with the outcomes of it So that's why I even threw out the other topic here that's securing home labs, which we'll go to in a moment I'm curious if you can run open sense on an arm sbc Not to my knowledge and the reason why is because to my knowledge no one's taken the time to recompile it and build a um Well, you said single board computer. So as long as it's x86 space So I I usually go to like arm based Single board computers, but if it's not arm based Probably yeah, you can run open sense on You know, I have one of those zima boards and I'm working on my review for and like the zima board is an option You can run Open sense should work on it pf sense. I know works on it because I know people have tested it So running pf sense on like a zima board that's an x86 zima board. Yeah, that'll work I just don't use open sense. So and I don't plan to You want hardware watchdog and cheaper neck eights. What is hardware watchdog that you're asking about? Someone wrote that for and I don't understand what that means So what is hardware watchdog? Because I know what watchdog is in pf sense because there there is a watchdog package in pf sense That you can have watchdog Uh services, but what is hardware watchdog? Maybe I'm missing some context somewhere What is the new company icon? cnwr.com There we go So that's the company icon for cnwr launch systems is separate from cnwr In the sense that this is where the youtube channel lives all the it consulting is on the cnwr site So if you hire us for consulting you're hiring cnwr I say us because I am part of cnwr I do consulting under that brand now So that's a clarification for anyone that wants to I don't know if I I did the merger video Explaining that we'll do some business technicalities videos driving in more detail on that Anything new with the technology cameras, I'll get to that in a moment Uh, if pf sense open sense did not exist, what would be your next choice? I don't know Um I'm I'm okay with arista's untangle. I don't think that's bad The um, I don't love a lot of the other firewalls I've dealt with they're they're all stuff I just deal with like it's not that we can't figure them out. It's not that we can't support them I just don't have any passion for them. So uh, it would it would be I if they didn't exist. I would just have to reinvent them and figure that out To save someone else frustration time I'm recording a new pf sense device edit the saves xml to reflect the device's new nick before importing it Yeah, that can help too My latest update to pf sense failed now unable to retrieve the ui any suggestion how to update it I've tried suggestions and I came from none of them work so far Uh, grab your xml file and reload it. That's whatever it breaks. I just I I don't spend a lot of time trying to fix it I just grab the xml file Make sure you have a copy of that file to back up config load fresh load xml and done Okay, you did say arm Uh hardware watchtower is just a device that generates in of my num s will interrupt hard reset if it doesn't get poked Uh by software every second to detect a freeze and failure Okay, is this something exclusive to netgate? I mean, I'm favorite of that contacts But I'm I'm not understanding what the question is of you want something not from netgate Uh latest version pf sense also open sense have a bug in um bomb package. It doesn't work well with quad nine Dot, huh? that file of bug report Short shoreline firewall is the best firewall linux runs able to be in a susie I just upgraded ceta plus seems to use more ram. I haven't found that at all to be a problem YouTube on tv refuses to load any of my video strange Have you finished true naszema board? Uh finished no still working on it Is snort your recommendation for the best IPS let's dive into that as a topic Uh, there's a couple things I want to talk about when it comes to securing the home lab So let's jump over to that. I want to make a little time stamp note. So at the 23 minute mark tom home lab security There now this comes up quite a bit when it comes to The home lab security and running things this is where people On the home lab going tom. I want easy file sharing I just want to expose all the things I'm like you're doing the opposite of securing things But let's start with some of the fundamentals and basics Snort and seracada either one are good tools. So is and we'll pull up security onion too And we're just going to lay out by start starting to lay out some of the tools The problem is these are tools not solutions Now running snort or seracada on your pf sets awesome Matter of fact, if you happen to use like a unified dream machine under the hood Although they pretty it up. They're using seracada under the hood seracada In snort can use the same and similar feeds to get the data in there They're very advanced tools that are actually built into even many commercial firewalls But they're tools that need a maintainer when you buy a commercial license for a firewall you buy You know insert name of your favorite commercial firewall brand by whichever company They're often running those tools in the background And they're constantly looking for the false positives. They're looking at what can it do Firewalls can only do so much though because most of your traffic is encrypted It's not as easy for them to really assess. Is that an attack or is that just Noise going through the firewall or can we even unravel any of that data? So while they are not a bad product to have for example If you're hosting next cloud and you've exposed your next cloud and it can detect that the Attack coming in is trying to do something that would attack next cloud or a IngenX server an apache server, etc Maybe your IPS would recognize the pattern that they're sending and do something about it But that's not always 100% the case IPS can only do so much It's better than nothing But it's not how a ton of these attacks happen that you can just stop them at the firewall by using an intrusion prevention system Now the intrusion prevention systems though can alert Such as outgoing connections that you can be flagged as suspicious But once again, these are tools that require people to maintain it often what you first learn when you install A IPS system is there's a lot of alerts and people panic first They think they're under attack then they realize they're not then they realize what false positives are and they realize tuning these tools is a regular Challenge it's not something that you just set it and forget it when you buy a subscription to a commercial firewall You're paying a third party in that subscription to do some of the tuning for you To get that working. So that's a pretty big aspect to think about when it comes to The running of these tools so there's not really one that's just the best But they're not bad to run now talking about things like security on you This is where you can really level up your security and do threat hunting This is awesome because it's open sourcing free peel back the layers of your enterprise with our newest and most powerful release yet I'm a huge fan of this project because it is probably the most best hands-on learning You will get to becoming a threat hunter and doing it on your own network You can take all the data and integrate many different systems So they all feed into your security union so you can get a good visibility into your network Now this works similar to the commercial tools that we use Where it's dissimilar to the commercial tools that we use is it's a higher level of maintenance that you're going to need It's not going to be as automated It's not going to do things because it's passive like host isolation For example, the tools we use have the ability to not only see something We have the ability to have those tools action and trigger to stop events from going any further based on the parameters We put in this is what's you know more manageable from our side for what we do for our clients But for you the homelab people and that's what I know a big audience here is This is awesome being able to go this deep into it And if you ever get a job working in the it industry as a security engineer having this on your resume Having a deep understanding of how these things work go a long way to really understanding the fundamentals of security Is it best to use pf blocker for securing your network? I would say it's better than not using pf blocker But you have to be careful because what people do is they start Overblocking their network and they realize they've broke everything and things stop working So while it's once again a not a foolproof solution But you can do things like let's say we you're not going to need to access tour nodes And we know tour nodes are frequently used with some of the some of the different Attacks that are out there you could go and use pf blocker to sinkhole all the tour nodes Well saves you that trouble saves you the problem from having tour Nodes accessible, but maybe you want to get on tour and now you can't because you've blocked it So it's it's good to use it. It's just not it's not going to be a foolproof solution each thing and you know security Onion is somewhat peeling back the layers of security to how exactly they worded here is Peel back the layers of your enterprise with our newest symbols problem release Security itself is also layers you lay on top So you're going to have your ids system triggering on certain things You're going to have your pf blocker blocking certain things and on top of that You're also going to want to have your you know your your layers in place So if they get this far this layer stop them they get a little further Hopefully there's another layer that stopped them and then they get to a login screen And hopefully that last layer is two-factor authentication and a really complicated password better than password one two three So each one's a different layer on there Do you have videos and options for firewalls and vpns? Yes um other Other than pf sense firewall and wire guard vpn. What would a few options you'd say? off the cuff I guess it kind of starts with use case. I've done videos. I've done recent videos about tail scale and zero tier I've talked about um the overlay networks versus vpn if you look if you search my channel for things like Overlay networks. You're going to say, okay, you know, uh, there's a couple videos tom did on these where I break down the different types I think I have one I titled like vpn killer or not vpn killer because That's clicking and there's people that conflate if an overlay network is a vpn killer if you will I don't really think so I don't use pi whole I do use You block origin. I like it because it's browser based. So I'm inside this browser I have you block set up and if I want I can tell you block to block or not block site sometimes It's unfortunate, but I have to Use tools and that tool may be broken by having something like pi whole or pf blocker So I like having it in a browser. I click it. Okay, this site you're I know you're tracking me But that's fine. I need to get use of this tool to get something done Are any of your customers big enough to bigger Big enough to benefit from dpu. I believe that was a Name from windows basically a processor on the network card. Uh I think we might have a couple that may benefit from it. We we well We're not part of that we there's some very large enterprises that we do project work for I have not been the one to set up something. I know that their network's big enough to need that That's not part of the aspect of what we're setting up for the client. So I don't I haven't used anything commercially Need to hire a team of arm guards around the world who bust into the hackers den and suppress Other threats, uh, as one of my security leaders Tail scale. Yes What security measures would you put in place on a kid's only network? That's a tough one. I've talked about this before because you have the cloud flare one Is it called cloud flare? It's the cloud flare for families And they have this as an option. So this is nice it is I think it's one one one. There we go The one one one dot three. So this is if you type in cloud flare for families, you'll find a whole Right up on it and dns for it. That's a really simple low hanging thing you can do Blocking stuff for kids is challenging Supervising as a parent is going to be the more key and important way to do it. There's only so much you can do You have to be engaged because it's usually not Just some random adult website the the issues of where kids will wander is a more complicated one Being an engaged parent is some of your best defense to get that Have you looked into six wind never heard of six wine? So no Uh, thank you time Are you still using zorus? We found a new content filtering tool. We're still using zorus. I like zorus. It works really well Which was confusing someone Someone said since I'm using zorus. Am I not using pf sense that there was a comment I got that I was just confused by On reddit. I said no the I'm using pf sense and we use zorus to protect the end points So hopefully um, that makes things clear Yeah, but the kids computer next year is a watch what you're doing. They're They're being an engaged parent. That's one of the answers I frequently give to people um turning kids loose blindly kids are going to be the curious Children that they are and uh, you have to guide them as their job as a parent sometimes is Lending them the cognitive functions that you have an experience to try to keep them from doing something Dumb sometimes that's just wasn't there a game like that in steam where you just had to keep the baby alive And people playing it realized that can be challenging as a parent with several children It can be challenging the kids will the kids want to do other things You're like, no, no, don't don't don't you know, especially when you're really little you just you just trying to keep them Keep things out of their mouth when they're really little but that's off topic You don't need that Parents accountability. What are you talking about? I mean to automate the parent out of parenting. Isn't that what it is about? I haven't found any scripts to do that yet. Um, that there's probably a future with ai that parents for you I don't know what that if that's a good or bad future Um, I I didn't invent it. I don't use it That was my kids are older and they're now um, some I got grandkids. So some now it's another generation doing it It's harder. I don't know um What is your IPS ideas that you play in production? You easily manage? I'll be doing a video on this soon. Um, there's Right now blue mera is what we use for a lot of clients. There's another one that cnwr is using I believe it's called stellar cyber. So, uh, I will be talking about blue mera. They're going to We're gonna do a few interesting things, but we're using them as a product I have a sponsored video that I'll be doing by them because they want to sponsor a demo on my channel I'm also going to bring on I I know the security engineers at blue mera and they're awesome and one of them I they did a great talk and I want to bring that talk. They did it's not a product talk it's a talk about security engineering and Logging and how to see things. So I want to bring one of their security engineers to do a talk on my channel So that's coming in the future. Um, but short answer is blue mera blu m i r a I can pull their website up to make it clear But yeah, this is the company Can make their local bigger. Yeah blu m i r a the people there agree Have you set up a client on ipv6 internally? Rosa pros and cons the answer is no and I don't use ipv6. I don't really have a use case for ipv6 Not everything is ipv6 compatible. It isn't worth the headache Sounds like the military. I keep trying to kill pilot finish the job Uh, let's see Yeah, the the talk's interesting. It's about how to get better logging it's going to be um It's going to be interesting because we're going to be diving into a lot of window stuff And this is where there's kind of a split and but there's going to be more content around this I'm going to bring some other people in maybe people from cnwr definitely Uh jason from cnwr to talk a little bit more about windows security things This is not my field of expertise. I am more of a linux and engineering and What not guy and i'm not someone who is the Foremost expert on setting things up in windows security, but that's where there's a you know jason slagle He is much more of an expert on that as a topic So yeah, that's something we're going to be covering and it's something with bloom era We're not um, we do monitor and ingest like pf sense logs and things like that can go into this system But the bigger and broader thing that we have to watch we maintain thousands of windows computers and Those windows computers are where the logs really have to end up. We need to know. What is the actions? What are the data points and You know Someone here. I'll you pull this up real quick linux is way more secure. Yes um linux is definitely uh easier to secure Microsoft is full of holes and microsoft picks and chooses which holes they patch and when they patch them But the reality is I can't just say i'm going to tell all my clients from linux That's not a practical or reasonable thing the line of business software. They have here in 2023 Frequently runs on windows therefore they run windows and because the career path I have chose of managing all these systems has babysitting windows computers That's definitely a big aspect of it Uh, have you worked on uh, worked with kailey sakenabaka architecture? I have not I don't I it'd be interesting to see how it compares if I have and I will have time in a future Uh, how that compares to like security union I I really like security union, but kailey linux is definitely awesome as well Ublock origin goes through privacy badger mail where writes browser good combo for browsers I've only used ublock origin. Um, I haven't tested the others but hey go ahead and I'm fine personally with just using Um the ublock origin, but there's definitely more things out there. I'm always careful about what I load is my browser Uh plugins because browser plugins have such deep access to things This is also where I try to exercise principles of least privilege and Giving the least amount of privileges to anything Which also includes browser plugins that could read what's going into my screen, which may be interesting information This is where grammarly there was some back and forth a while ago and duly noted Well, the reasons I don't like writing grammarly in my browser is they do exclude the password box when you're typing but But that is as long as the place you're typing it excludes that password box When you think about a plugin such as grammarly and I know that's on the list here But just think about how plugins work. They interact with What is in your browser window and think about that can that company send data back? Well, yes But are they not necessarily but you have to take that into consideration if It is a less popular product. For example, may where bites is a reputable company. So I don't think they're doing it I've never heard of ghostry. I have heard of privacy badger So I believe they're probably reputable but these are the things that take into consideration and ublock I've trusted them for a while Let's see besides gray log. Have you used other systems? I've used them. I didn't like them. That's why I choose gray log So have I looked at them? Yes. I found them more complex than gray log I found them more confusing than gray log to work with so there's a reason I chose gray log It turned out to be the one that worked end of service windows 10 I microsoft has a list for each version and when they expire Uh Linux is only more secure if the users Know the software. Yeah. Yeah Would you willing to do a video on your thoughts on tnsr with their new ui? I didn't know they had a new ui um so This there's a ui for tnsr. I mean look that so Enable the gui service. This is for the certificates I haven't looked at it all so I didn't know they even had a ui for it I just haven't really had a reason I see gui was certificate But is there actually a gui in here? Because I thought it was all done command line And based on this it looks like it is so uh Yeah, I don't see a ui for it. I'm on their site So if tnsr has a ui email me vlog thursday to the ui stuff. I haven't used it. I'm not aware of it I don't see it in the documentation They're tool to disable extensions for I That's neat. I like that they're going forward. I think firefox is still a good Browser and they're still innovating on things which I think is awesome A video on how town sets up his browser. You'd be bored. There's a lack of plugins in my browser I got bit warden and you black origin There we go. You've now seen all my browser plugins there. There's how tom sets up his browser Moving on to monitoring tools. What time is it is 42 minutes in? So if we start at the 42 30 Um, do I recommend something other than that data that's false? No in net data is open source Their cloud is not. I don't think they're useless without their cloud You can use net data perfectly fine without the cloud interface. I will pull something up real quick here Let's look at one of my servers Why not? Because that's what we should do. Whoops. That is not the server I wanted Uh There we go Log in and we'll pull this up And we'll show you net data without the cloud Gotta get to the application It's an update for it Yeah, we'll just run a very very slightly dated version There we go To me, this is useful. Um, I can see the processes I can see all the things on there if you wanted to take this data and Pipe it somewhere to create alerts or anything like that. You could I don't think about doing that I'm generally doing that in my logging system. This is just so I can see all the data net data is a great project It's open source. So I'm not exactly sure What you're looking for or what you think is missing out of there now The cloud will consolidate all the different nodes into one place That's a definitely convenient feature. So you don't have to like bookmark all your ip addresses You can create one dashboard or technically a little html and a couple iframes You could probably pull them all into one interface yourself if you wanted to How does the latest proxmox compare to latest xcp ng? You know I don't think that there's even jay said jay from learning like tv talked about this and I didn't really Notice anything that was so different per j That would make me go. Oh my gosh. I need proxmox now I still feel that xcp ng is a more innovative and more forward thinking project So I don't know what they've added that would make me go. Wow. This is the killer feature So to my knowledge, there's not anything I know of and if someone knows otherwise my forums or email blog There's the at learn systems com to let me know what you think would be the killer feature that they have right now I'm not aware of any new killer feature that they had. I think they got dark mode I think someone mentioned that but I I'm I'm not a big proxmox user Well, this is more secure by default and jim requires you to open up remote access and permissions and escalation rather than Doing those things by default like macOS and windows. Yeah a little bit Um, you can there's a lot of ways to slice it. They're just very different operating systems So they're you're not doing an easy one-to-one comparison Of security on there, but I generally think linux is probably going to fall on the more secure side But it all depends on what is the metric you're trying to measure on that I was looking in the cubes, but nixOS also looks interesting chrome messing with the adblock plus let's straight now Uh, I heard they are doing something Oh neck eight made a video doing it. Okay. I I didn't even know they released a video on it interesting I'll have to look at that. So now I have some to-do lists. I'll watch it after I'm done doing this I guess we could watch it together Do we want to have a watch party? See if we pull up uh neck gate so So the k from neck gate this brief video introduces you I hear tits are graphical Mental, but we're working to improve the user interface and experience this video highlights the options that you can pick up It looks kind of cool Instruction cases firewall firewall Sir, it looks really basic So let's see Okay Okay, this is just a slide they're doing I see These links open in the browser window. It's important to note that every annual Yeah, this is okay. It's early release days of this. So there's not a lot to talk about them is my assumption here Fair enough. So what do I think of it? I will when it comes available. I will be interested in it You should uh get dark reader sentient for dark mode. Yeah I mean usually you want to see uh one stream of everything then going to Rather than go then as I said some html and some iframes to fix that You don't have to go out to a cloud to do that. You can do that internally. You just Like they don't have a self-hosted Controller that you can centralize all the data to that's not something. I think they're going to be designing I saw the newest xcpg supports tpm. Uh with the next release Is going to fully support it. Yeah, that's uh tpm supports coming I like seeing proxmox better than xcp ng. So that's what I like about proxmox better than xcp ng I like seeing proxmox. I think it's a fun word to say Uh, are you going to jump to debbie in for your desktop? No, I'm staying with papa west They do a great job of it. I just don't care enough to distro hop papa west works wonderfully I actually like where they're going. They're re-engineering some of the desktop things and I think they do a good job The polished papa west puts on the system makes me happy. So i'm going to go ahead and stay with it Oh, you guys hear the audio That's funny because I didn't oh, I got my volume turned down probably I do All right No, you guys heard the audio at 2x I just realized that funny At the end of the day we we talk about uh, the salsa day and then watch party I think another reason linux is generally more secure is because people using linux are generally more in-tune with managing or west Yeah, it's you don't have the average end user using or even thinking about what their operating system is That's just not part of their average day people come to work They just go this is a tool this thing in front of me this Keyboard mouse and screen and some magic going on under the desk or behind the desk or wherever Is not really their concern not something you're thinking about They are making widgets. They are typing about widgets that are made This is how the end user thinks about things, which is fine. It's not what they're interested in I have several friends who are really smart engineers and that's where it ends for them Like one of my friends is a metallurgy engineer He really dives deep into the metallurgy that builds pistons and things like that in the automotive space But he's not a tech guy a computer guy. He's a person with a Good degree in understanding metallurgy and this is just some tool he uses You know, if you ask him if it runs windows, uh, he he doesn't care Uh What do you think of check mk? Well, I don't think of it because I didn't know what it was Or maybe I do and I didn't know check mk Uh, never heard of it. So Before you did this, maybe they had an ad sponsor, but ming about this software It looks popular. It's got big names on it customers adobe bosh continental airbus uh, swiss com vote a phone so it's a popular enterprise it software Based on those names Raw edition free and open source it mentoring for mid-size infrastructures audit discovery rocks monitor out of the box So looks interesting. I've not used it Moving laptop to even 12 displaying drivers my doc Uh, kicked my butt last night and I gave up. That's one of the problems is if it doesn't have Uh, support for all the things I need to work. I can't use it my The feelings may be hey db in school or and I would like to use it But if it doesn't support all of my devices, I'm going to have a hard time using it It comes down to it has to be used popo s works great. I don't have problems with popo s I don't have to think about my os my fingerprint reader works on my Dell laptop with popo s Uh, favorite flavor of pocky bought some banana pocky Uh, I would say banana is probably up there. Uh, banana strawberry both are good upgrading my four by one gigabit nick uh to two to an half gig ten gig router my Internet's slow. So even a one gig port is kind of wasted It's okay. The motherboard one gig port when higher speed nick wait Is it okay to use the motherboard one gig nick for when and the higher speed nick just for my land? Yeah, absolutely I'm If you're not going to have a wan that's going to exceed one gig Yeah, you don't need to use that as the wan The pf sense boxes for example and The pf sense or if you're using, you know, some other box that you have, uh, it's all reassignable in pf sense So me you may as well if you're not going to use faster than one gig speeds on your wan side point them internally Take it take advantage of the speed internally David says he uses check MK and it's amazing. Is it check mark? Is it check mk? I'm not sure how they pronounce it, but uh, David says it's amazing I haven't used it myself Yes, we have clients that run it. I don't love it, but it exists. It's popular in the market It's not my not my preferred hypervisor. It's not the one I would choose If you see popular logos, you know, it's expensive not necessarily Uh and pf sense and ha where can I see kurt master slave status in the ui? I don't have one I can log into to show you but it's in their documentation You would go into I can tell you about where it is I believe it would be under It's either under the firewall or the interface status is Um, one of those places will go under firewall and you can see the different ip's assigned to carp in there Uh, or go status as an error But it's in the pf sense documentation I don't know which one would be better. Uh, seracotta or zeke I've not used zeke enough to give you a comprehensive answer on that Like tom c do a round of comparison between debbie and pop west and susie leap tumbleweed town choice and arch spare laptop c which is best if any we're switching you know, I I spend most of my time in the browser and You know using the same tools. So if the same tools got loaded that I use then it wouldn't make any difference What the underlying os is? Um, that's why I don't really bother with the distro hopping. There's not enough about it I mean the ui is going to be slightly different But if the ui crashes more on one of them, that would be interesting There is a bug that sometimes when I have all the windows open I think it just runs out of video memory because I have so many things open that It sometimes causes the screen to disappear when you do the uh expanded switching But it's not really a bother. I just alt tab alt tab always works And I'm mostly using alt tab to do things. So I bought a sonology 1522 and almost bought the 10 gig port I stuck with the one gig and was surprised how fast it is between my system 76 and the pop west system. Yeah More like zavix. So check mx. This is the question was so as check check mk Uh is like dat is like that data or zavix and david who says he likes the product says it's a lot more like zavix I think they have a free version of it. So If you I mean it says open source and that's pretty cool Download now Choose platform They support. Oh, look they support devian They don't have 12 on here devian 10 11 You want the raw you want a free child? Nope So cool Networks applications database storage What exactly do there's the features of it Automate monitoring add new components to less effort automatic detection configurations features such as host life cycle Use modern rules Automate from zero to monitoring in 10 minutes. I like that I like getting up and running fast scale monitoring performance modern day concepts for cloud and on prem So, okay get detailed installation now. This is interesting net flow monitoring but go back to the Where are we at? Is this is something that Mayor may not Let's go over here Auto discover monitor out of the box open source auto detect issues and more There's probably some missing features in here So that's that's where it comes down to is figuring out what those missing features are compared There we go server network monitoring application monitoring login event monitoring Container monitoring cumbersome interesting Okay, so they have quite a bit in here. What about it says net flow is net flow data going to be offered Oh It says network monitoring But it doesn't really say like they say net flow data in here But is net flow data actually included with the free version? I don't know He is excised when I get for free use go to play with the my del emc um, yeah They still offer the home licenses of I think they do for vmware far as I know SNMP or agent based monitoring ESXI itself is free except for yeah, there's there's different rules and restrictions You get like a free base version and yes Any more thoughts on unreal server? I haven't had time to think about it. I'm so behind on getting youtube videos done Do you know it's fun a bunch of people saying a bunch of things and one person replying to it all The raw is more than good to us V mug, that's the word I was looking for the vmware sells v mug licenses for like 400 a year. Yes, they do Not 200 v mug is now 400. Yeah That is a thing now, uh, you know inflation price increases trying to make a bunch more money We have the internet let's um close the 100 tabs tom has open And google The vmug price Join the v mug advantage. Oh, I just want to know price We'll we'll get the answer out of google so we don't have to Do it the v mug subscription is 200 a year for an individual subscription So it sounds like is that from their faq? yes vmware users group 200 a year so Make that bigger Maybe they charge people from the land down under more money There's there's a chance of that There may be more in australia All right. Well, I think we've wound this down towards the end Is there any other final questions before I wander off? And I probably got to get a pizza for my son. I know he probably wants to be fed What are you currently using for network monitoring? um, which kind of network monitoring our Tooling we have does some of the network monitoring our unify does network monitoring and at cnwr They also have avic for network monitoring. So there's there's several different ways It all depends on the different which network and what level of monitoring and what the contract agreement is This is actually the fun fun facts about the merger is we have a lot of different Contracts and agreements and all the different things we do for different companies. So Hey pizza tom. We'll see you next week really need to sign up for forums. I got nothing interesting to post here right now well Fair enough the forums. That's where a good place to be is Uh, we'd be seeing with ninja With cnwr. Yes. I don't see us moving away from that. Um There's there's not really a reason to we like it. It works. Um, it works for our co-managed clients. So yes No, I have not played with harvester Um, I liked finding I I liked fiend for network monitoring and uh, such much better one first. Yes What are you using for cloud backups these days? Uh Beam is one of those things. So cnwr uses beam beam for some clients. Uh, c2 for certain situations like That works well And we still have some msp 360 because it's reliable and it's steady. So that works too Ninja one is great. Yeah. No, I'm really happy when like we're not unhappy with Ninja one. So in matter of fact ninja one integrates into some of the other tooling at cnwr So that's you know, it's not like it's this odd ball thing hanging out here. It will integrate and Tie into the monitoring tracking ticketing etc that they have at cnwr So it's not like we left them out there. Matter of fact, most all the tooling we use is msp friendly And will be integrated into cnwr I'll leave comments if you guys want to learn more about what we're doing on integrations Maybe me and jason will kind of go over our tech stack once we get everything kind of put it on there Uh, have you tried magnus box? I haven't had a reason to because they're just using Comet backup with a custom some custom code around it. I don't know I mean my question with any backup is how was the security handled? How are they doing their security auditing? Do you understand how their encryption is being done and the tooling around it and then you can move forward I I don't have many answers. I know because I've seen they sponsor things In the msp space for magnus box. I don't know anything about I know they're using comet or some customized version of it But I don't know all the other details about it. We looked at comet backups and There was the way you use some of the keys in there. We found kind of We didn't like the way a comet backup worked. So we decided not to go with it That's why we didn't we don't use it. I don't know how they've implemented it in magnus box I just know what they're using in the back end I set up beam last weekend as agent only apps having problems with taking multiple backups a day Yet can fake calls for one Yeah, I don't know something's not set up right Yes, the ninja team is actually awesome to do it When are you going to release the zion board true now so I can copy and don't have time to figure it out myself There's really nothing you have to do to copy it just you could just buy one they work So it comes down to will it work for your use case Uh, what is the most exotic or fastest network? Um, I don't know how to describe that. They're just some big ones There's some large networks. There's data center networks that being managed. I don't really know. I would describe them as exotic Uh, I'm not using dome outs. No I don't know if it's someone here me We're currently use code backup formally sort of wins and handles bandwidth situations insanely well comparison all There's a trade curious what caused you guys to switch We were just moving away from all things solar winds and that's why we got rid of them So the big challenge just came down to um The way their billing system was was kind of a mess at the time and I just wanted to be off of solar winds Um So that's why we got away from it The it worked though. I gotta admit it worked well It's funny because after we separated they spun it off as a separate product Which I think is a good idea because it was a good product and can stand on its own as a good product It it still had some uh, it's not bad overall But it had some quirkiness that we had to deal with once in a while with it, but overall It's not a bad system The problem with comet and I I don't remember I'd have to get eric to join me sometime to talk about this and See if we still have notes But a year ago one of our problems was the way they handled the api keys Where you had to share them on each system. There was a way you could It was the way the api keys were handled We were worried they could be extracted off one system to target another system and we just We kind of pointed that out to them and they're like, oh, yeah that we we should probably not do it that way um And maybe it's been fixed But it was it was something in the way That the api key was handled and we're like that shouldn't be this way One of the things you have to think of for backups is you don't want a compromise of an individual system to cause an upstream problem For other people's system when it goes to each of the buckets So when you're managing backups at scale, you have to really take those things into consideration Yes, it was solar winds then it was unable and now the backups are separate and it's that so yes Uh, my son has no interest in tech. So no, he's not being trained I offer it to him all the time. It's not been what he's doing I think you can hide it now, but more importantly, they now support uh wasabi immunity. Well, that's cool We decoupled from n central similar reasons. I've been integrating with ninja. I'm not wild about solar winds either always interested in alternatives. Yeah Yep. Yep Comment same way a silent install requires user id and password command line Yeah, but is that user id password unique to each client like you can build a unique one? I don't know I don't remember it's in it's been a while and the product has undoubtedly changed as we looked at it like almost It got it was like two years ago now that we looked at it So, um, but it's not on a roadmap to look at it again So if you like it and you don't have any concerns about it, I know it's a popular product So but with that I'm going to leave you guys Thank you all for joining hit me up in the forums Email me vlog Thursday at loren systems.com if you like to help me read some emails or have questions I can answer and I will see you all next time. Thanks