The Grand Project - Suggestions, please!

[MDLarson]

My dad is planning on opening up a new cat & dog boarding kennel called Stone Mountain Pet Lodge. It will be located in Blaine, MN and will open sometime in mid-2005. It will be one of the nation's premier pet kennels!

We are planning on making it an all-Mac operation, starting with a FileMaker based point-of-sale system using iMac G5s. There will be 4 of them at the front desk. Here's a thread about my POS questions.

Next, we're going to be utilizing around 30 "network IP" cameras throughout the facility and manage the video feeds via SecuritySpy (Mac-only) software, which has awesome 5 star reviews on VersionTracker. I haven't decided on cameras, but I am looking for inexpensive (less than $200) Power over Ethernet (PoE) enabled network cameras. I don't want wireless cameras. I'm thinking the computer that will process and record video on will either be a Power Mac G5 or an XServe, but I have yet to investigate exactly what I want to do with that.

The idea with the cameras (besides general surveillance) is that pet owners can pay extra to secure a kennel with a video camera and they will be given a password to access a live web-feed of their pet. I'm sure it can be done, I just don't know exactly what that will look like. (For instance, I think the best way to do this is to secure a static IP address from our ISP and do our own website hosting / video streaming... help on this would be great!)

We need a phone system, and VoIP appears to be the way to go, especially for new construction. 3Com has a new IP telephony device that I will be looking at, with the idea that phones will be plugged into a standard RJ-45 jack that goes back to our central rack server area.

We will have a few offices to fill with computers, and iMac G5s will probably be the ticket. I am also thinking of sticking an AirPort Extreme base station on the ceiling of the lobby area to allow customers to hop on the internet while they hang out. I've read that the ideal location for a wireless access point is on the ceiling, and I think it'd be funny to look up and see the little white UFO blinking away.

And on a final boring note we are planning on getting a copy of QuickBooks 2005 for Mac. I've read some horrible reviews of previous versions of QuickBooks and I'd be keenly interested in Mac QuickBooks users' advice.

*****

So, I plan on updating this thread as we make progress (and secure funding), and I hope to hear from all of you regarding opinions, advice, whatever. It's no Virginia Tech supercomputer, but it's pretty exciting for us!

[MDLarson]

My first question would be regarding Power over Ethernet or "Active Network". This is pretty critical for the network camera we are planning on, as each camera would otherwise require an external AC adapter, which would require that we run standard power outlets to EACH camera location. With PoE, we can simply run a Cat5 cable to the camera location and plug a PoE network camera in.

The way this works is with "injectors," or inline power supplies that insert a certain voltage into the Cat5 cable. I want to know if I can simply enable ALL ports on my 48 port switch to carry the voltage, or if this must be done for each individual camera line.

[bobw]

Since you're building from ground up, it wouldn't be too much more work to install power outlets at each camera site. You'll be doing a lot of wiring anyway.
Then you won't have to worry about injectors, power supplies. That would be my choice.
The cameras wouldn't use much amperage, so individual lines/breakers to each camera wouldn't be necessary.

[MDLarson]

bobw, the thing I want to avoid is extra cost and extra hassle. I'm not particularly fond of having 30 injectors all strapped to my ethernet switch, but I'm sure even that solution is more cost effective than running 110V power to each site. Not to mention the problem of running ethernet line parallel to power conduits. That doesn't work very swell due to interference.

If I go with a PoE solution, I have a good chance of reducing complexity and increasing flexibility (i.e., running a Cat5 cable wherever a camera needs to go, as opposed to running Cat5 AND power.)

I found a 24 port "midspan" (the picture shows a 48 port - that would be nice) that injects power the way I want it.

I also found an enterprising IT tech who made his own multi-port injector from a patch panel.

I really think PoE is the way to go. Of course there's PowerLine, where you transfer data over standard power wire, but I don't know much about that.

[scruffy]

Sounds like a very interesting project.

I used to work in tech support for Intuit - on Quicktax, not Quickbooks, but I think I got a bit of an overall impression. I wish I could recommend that you use their software on a Mac, but I just can't - at least for Quicktax, the whole Mac product was very much an afterthought - not the sort of product I would trust my finances to at all.

From a security perspective, I would suggest you segregate the different functions as much as possible - don't put VoIP devices on the same networks as desktops - the networks might share the same internet connection, but put them on different firewall interfaces, and don't let anything cross between those two networks. You don't control that equipment, and manufacturers of "not really a computer"-type network devices tend to have very questionable security records.

Think very carefully about wireless - it can be one of the biggest security headaches if it's done wrong, and it can be a lot of overhead to do it right. If you do decide to go with wireless, definitely put it on a different firewall interface from any business related systems, and consider any traffic coming from it as being as potentially unfriendly as stuff from the internet at large.

Speaking of firewalls, I'd recommend looking to something other than a Mac for that job. The OS X kernel firewall is decent as a host firewall, which you'll probably want to turn on on your internal hosts, but it's not really up to the job of being a business's gateway firewall.

I'm learning about Cisco PIX firewalls just at the moment, so of course I'm all excited about those, but they do cost a pretty penny. Netfilter, The Linux kernel firewall, is really quite good also; you might simply want to go with a very minimal Linux install, with however many interfaces you need.

There is an open source GUI called firewall builder http://www.fwbuilder.org/ that will run on OS X, Linux, and Windows (Windows and OS X binaries cost a little, if you don't want to be bothered with X11 and fink), and will generate firewall scripts for Linux, FreeBSD, OS X, OpenBSD and PIX firewalls. It has some nice features like revision control and such... Might be something to look into to make your life a bit easier.

[scruffy]

Correction to the above

OS X native binary is 50 bucks if you don't care to compile it yourself. Whether you go from source, or spring for the binary, it'll do firewall rulesets for Linux, OpenBSD, FreeBSD, OS X, and Solaris.

the PIX firewall rule generating module is 500 bucks, which includes a license for the Mac binary - so, not so cheap anymore. But if you were going to buy a PIX anyway, maybe not really all that terrible...

[MDLarson]

Eh? Security? I know nothing about firewalls, except that the Windows XP SP2 installed one by default and turned everything off and made life miserable for me for a short time.

Are we talking about a separate linux based PC that sits between our internet connection and our ethernet switch? I've never worked with Linux or anything like that.

As far as the wireless hotspot goes, I knew I had to limit access only to the internet, but again, I'm not very familiar with security issues.

I am hoping that QuickBooks Pro 2005 is OK. I found this table that details the improvements this time around, and as far as I can tell it solves QB Pro 6 users' complaints.

[scruffy]

Yes, you'd want a dedicated firewall - a system that does nothing except be a firewall, sitting between your internet connection, and your internal network or networks. And, I would recommend that you have several internal networks - one for desktops; one for VoIP devices; if you're running publicly accessible servers, one for them; if you go with wireless, strongly consider a separate network for that. Depending on what you eventually decide to do with the cameras - internal security feeds only vs. owners getting to check on their pets, etc. - you might want to put them on your internal network, or on your public server network, or maybe yet another separate one. Depends on your needs, right?

There are some issues with using different vlans on the same switch for segregating networks - google for "vlan hopping" - it depends very much on the make of your switch how grave that might be. Probably the most comprehensive security vulnerability database is bugtraq http://www.securityfocus.com/bid you might want to check for known vulnerabilities on your switch before buying, or at least when considering how to lay out the network - i.e. how much faith to put into the switch's ability to segregate networks via vlans.

Whatever you do, don't put your internet connection onto a vlan on the ethernet switch that also houses internal networks.

The balance between how much time you want to spend configuring the thing, vs how much money you're willing to put into it, gives you different options.

For a relatively large investment of time and little money, you could go with a PC running Linux, OpenBSD, or a similar free OS, with 2-5 network cards to segregate the different networks. I'd recommend Linux, since the Linux firewall deals rather better with multi-port protocols like ftp.
Since it wouldn't be a desktop, it wouldn't need to have anything interesting in the way of a graphics card; you probably wouldn't even want to install X windows at all.

For more money and less time, you could get an 'appliance' type firewall, from Cisco or a similar vendor. Basically that's just a computer that's optimized for the job of being a firewall - very minimal OS, fast networking hardware, no graphics or anything unneccessary. Some of those use free OS's, others use proprietary ones (the Cisco boxes run a proprietary OS)