# The Grand Project - Suggestions, please!



## MDLarson (Nov 12, 2004)

My dad is planning on opening up a new cat & dog boarding kennel called Stone Mountain Pet Lodge.  It will be located in Blaine, MN and will open sometime in mid-2005.  It will be one of the nation's premier pet kennels!

We are planning on making it an all-Mac operation, starting with a FileMaker based point-of-sale system using iMac G5s.  There will be 4 of them at the front desk.  Here's a thread about my POS questions.

Next, we're going to be utilizing around 30 "network IP" cameras throughout the facility and manage the video feeds via SecuritySpy (Mac-only) software, which has awesome 5 star reviews on VersionTracker.  I haven't decided on cameras, but I am looking for inexpensive (less than $200) Power over Ethernet (PoE) enabled network cameras.  I don't want wireless cameras.  I'm thinking the computer that will process and record video on will either be a Power Mac G5 or an XServe, but I have yet to investigate exactly what I want to do with that.

The idea with the cameras (besides general surveillance) is that pet owners can pay extra to secure a kennel with a video camera and they will be given a password to access a live web-feed of their pet.  I'm sure it can be done, I just don't know exactly what that will look like.  (For instance, I *think* the best way to do this is to secure a static IP address from our ISP and do our own website hosting / video streaming... help on this would be great!)

We need a phone system, and VoIP appears to be the way to go, especially for new construction.  3Com has a new IP telephony device that I will be looking at, with the idea that phones will be plugged into a standard RJ-45 jack that goes back to our central rack server area.

We will have a few offices to fill with computers, and iMac G5s will probably be the ticket.  I am also thinking of sticking an AirPort Extreme base station on the ceiling of the lobby area to allow customers to hop on the internet while they hang out.  I've read that the ideal location for a wireless access point is on the ceiling, and I think it'd be funny to look up and see the little white UFO blinking away.  

And on a final boring note we are planning on getting a copy of QuickBooks 2005 for Mac.  I've read some horrible reviews of previous versions of QuickBooks and I'd be keenly interested in Mac QuickBooks users' advice.

*****

So, I plan on updating this thread as we make progress (and secure funding), and I hope to hear from all of you regarding opinions, advice, whatever.  It's no Virginia Tech supercomputer, but it's pretty exciting for us!


----------



## MDLarson (Nov 12, 2004)

My first question would be regarding Power over Ethernet or "Active Network".  This is pretty critical for the network camera we are planning on, as each camera would otherwise require an external AC adapter, which would require that we run standard power outlets to EACH camera location.  With PoE, we can simply run a Cat5 cable to the camera location and plug a PoE network camera in.

The way this works is with "injectors," or inline power supplies that insert a certain voltage into the Cat5 cable.  I want to know if I can simply enable ALL ports on my 48 port switch to carry the voltage, or if this must be done for each individual camera line.


----------



## bobw (Nov 12, 2004)

Since you're building from ground up, it wouldn't be too much more work to install power outlets at each camera site. You'll be doing a lot of wiring anyway.
 Then you won't have to worry about injectors, power supplies. That would be my choice.
 The cameras wouldn't use much amperage, so individual lines/breakers to each camera wouldn't be necessary.


----------



## MDLarson (Nov 12, 2004)

bobw, the thing I want to avoid is extra cost and extra hassle.  I'm not particularly fond of having 30 injectors all strapped to my ethernet switch, but I'm sure even that solution is more cost effective than running 110V power to each site.  Not to mention the problem of running ethernet line parallel to power conduits.  That doesn't work very swell due to interference.

If I go with a PoE solution, I have a good chance of reducing complexity and increasing flexibility (i.e., running a Cat5 cable wherever a camera needs to go, as opposed to running Cat5 AND power.)

I found a 24 port "midspan" (the picture shows a 48 port - that would be nice) that injects power the way I want it.

I also found an enterprising IT tech who made his own multi-port injector from a patch panel.

I really think PoE is the way to go.  Of course there's PowerLine, where you transfer data over standard power wire, but I don't know much about that.


----------



## scruffy (Nov 12, 2004)

Sounds like a very interesting project.

I used to work in tech support for Intuit - on Quicktax, not Quickbooks, but I think I got a bit of an overall impression.  I wish I could recommend that you use their software on a Mac, but I just can't - at least for Quicktax, the whole Mac product was very much an afterthought - not the sort of product I would trust my finances to at all.

From a security perspective, I would suggest you segregate the different functions as much as possible - don't put VoIP devices on the same networks as desktops - the networks might share the same internet connection, but put them on different firewall interfaces, and don't let anything cross between those two networks.  You don't control that equipment, and manufacturers of "not really a computer"-type network devices tend to have very questionable security records.

Think very carefully about wireless - it can be one of the biggest security headaches if it's done wrong, and it can be a lot of overhead to do it right.  If you do decide to go with wireless, definitely put it on a different firewall interface from any business related systems, and consider any traffic coming from it as being as potentially unfriendly as stuff from the internet at large.

Speaking of firewalls, I'd recommend looking to something other than a Mac for that job.  The OS X kernel firewall is decent as a host firewall, which you'll probably want to turn on on your internal hosts, but it's not really up to the job of being a business's gateway firewall.

I'm learning about Cisco PIX firewalls just at the moment, so of course I'm all excited about those, but they do cost a pretty penny.  Netfilter, The Linux kernel firewall, is really quite good also; you might simply want to go with a very minimal Linux install, with however many interfaces you need.

There is an open source GUI called firewall builder http://www.fwbuilder.org/ that will run on OS X, Linux, and Windows (Windows and OS X binaries cost a little, if you don't want to be bothered with X11 and fink), and will generate firewall scripts for Linux, FreeBSD, OS X, OpenBSD and PIX firewalls.  It has some nice features like revision control and such...  Might be something to look into to make your life a bit easier.


----------



## scruffy (Nov 13, 2004)

Correction to the above

OS X native binary is 50 bucks if you don't care to compile it yourself.  Whether you go from source, or spring for the binary, it'll do firewall rulesets for Linux, OpenBSD, FreeBSD, OS X, and Solaris.

the PIX firewall rule generating module is 500 bucks, which includes a license for the Mac binary - so, not so cheap anymore.  But if you were going to buy a PIX anyway, maybe not really all that terrible...


----------



## MDLarson (Nov 13, 2004)

Eh?  Security?    I know nothing about firewalls, except that the Windows XP SP2 installed one by default and turned everything off and made life miserable for me for a short time.

Are we talking about a separate linux based PC that sits between our internet connection and our ethernet switch?  I've never worked with Linux or anything like that.

As far as the wireless hotspot goes, I knew I had to limit access only to the internet, but again, I'm not very familiar with security issues.

I am hoping that QuickBooks Pro 2005 is OK.  I found this table that details the improvements this time around, and as far as I can tell it solves QB Pro 6 users' complaints.


----------



## scruffy (Nov 13, 2004)

Yes, you'd want a dedicated firewall - a system that does nothing except be a firewall, sitting between your internet connection, and your internal network or networks.  And, I would recommend that you have several internal networks - one for desktops; one for VoIP devices; if you're running publicly accessible servers, one for them; if you go with wireless, strongly consider a separate network for that.  Depending on what you eventually decide to do with the cameras - internal security feeds only vs. owners getting to check on their pets, etc. - you might want to put them on your internal network, or on your public server network, or maybe yet another separate one.  Depends on your needs, right?

There are some issues with using different vlans on the same switch for segregating networks - google for "vlan hopping" - it depends very much on the make of your switch how grave that might be.  Probably the most comprehensive security vulnerability database is bugtraq http://www.securityfocus.com/bid you might want to check for known vulnerabilities on your switch before buying, or at least when considering how to lay out the network - i.e. how much faith to put into the switch's ability to segregate networks via vlans.

Whatever you do, don't put your internet connection onto a vlan on the ethernet switch that also houses internal networks.  

The balance between how much time you want to spend configuring the thing, vs how much money you're willing to put into it, gives you different options.

For a relatively large investment of time and little money, you could go with a PC running Linux, OpenBSD, or a similar free OS, with 2-5 network cards to segregate the different networks.  I'd recommend Linux, since the Linux firewall deals rather better with multi-port protocols like ftp.  
Since it wouldn't be a desktop, it wouldn't need to have anything interesting in the way of a graphics card; you probably wouldn't even want to install X windows at all.

For more money and less time, you could get an 'appliance' type firewall, from Cisco or a similar vendor.   Basically that's just a computer that's optimized for the job of being a firewall - very minimal OS, fast networking hardware, no graphics or anything unneccessary.  Some of those use free OS's, others use proprietary ones (the Cisco boxes run a proprietary OS)


----------



## onegoodpenguin (Nov 17, 2004)

sounds like you might be playing with enough money to justify a powered switch.  check out the cisco 3750 (if my memory serves me correctly), which i believe is a 24-port model.  the vlan suggestion was a good one--in my opinion they are necessary in that type of environment.


----------



## MDLarson (Nov 18, 2004)

This is proving to be stressful on my brain, but I'm glad I'm doing it now, several months ahead of actual implementation!

I Googled for vlan hopping and found this page describing lots of neat info that I'm not too familar with.  I will read into it more.

However, I think I have spec'd out a solution that will ease security concerns, namely buying multiple switches and keeping the networks segregated.  I have to do that anyway since I can't find a PoE switch over 24 ports anyway.  So, each switch would be acting as a DHCP server?  I could have 3 networks:
Network 1:  10.1.0.XXX
Network 2:  10.2.0.XXX
Network 3:  10.3.0.XXX (if we were to buy another 24 port PoE switch, 3Com says you can stack them into a virtual switch or something)

I put together a network diagram with what I think is going on.  Tell me what's wrong and where, and anything else you want to tell me.  

The XServe is a guess.  I want to run our own webserver (is this a bad idea?) and FileMaker Server.  Also, I'm wondering about VPN access; what should I do for that?

p.s.  penguin, I have spec'd out a 3Com 24 port powered switch.  I'll take a look at the Cisco one though.


----------



## MDLarson (Nov 18, 2004)

An update on the Point of Sale situation:  I looked at a FileMaker 6 based solution called Shopkeeper distributed by POSDirect, and it didn't look too good, interface-wise.

Further searching brought me to a FileMaker 7 based solution called PayGo POS by Christian James.

And sadly, QuickBooks Point of Sale 4.0 is still in the running for a Windows based system.  I DON'T WANT TO USE WINDOWS!!!!!

We are going to get a live demo of the PayGo stuff Monday morning so we'll see how that goes.


----------



## fryke (Nov 18, 2004)

About the firewall: I'd get a hardware solution, not a computer in need of software support. There's nothing worse than a firewall which would finally act as a main door into your local network. And that's exactly what would happen if that linux server would ever be hacked. Suddenly, a strange user would have access to your other computers as a user of your _local_ network. Get a contractor to install and setup a dedicated firewall.


----------



## MDLarson (Nov 19, 2004)

onegoodpenguin said:
			
		

> sounds like you might be playing with enough money to justify a powered switch.  check out the cisco 3750 (if my memory serves me correctly), which i believe is a 24-port model.  the vlan suggestion was a good one--in my opinion they are necessary in that type of environment.


I did a MacMall.com search for Cisco 3750 and it returned 20 results, ranging from $710 to $10,759...  I think the one that we'd get out of that list would be the "Catalyst 3750 24PS 24 10/100 + 2 SFP Standard POE Switch", but that goes for $3,300, *twice* the price of the 3Com switch I have currently spec'd out.  The only obvious difference between the two (that I can see) is the two "SFP" ports.  Are these the uplink ports used for hooking switches together?

I realize the 24 port powered switches I have to not have uplink ports on them.  Should they have them?  How am I going to connect my switches together?  (Keeping in mind the security of keeping networks separate...)


----------



## onegoodpenguin (Nov 19, 2004)

yeah, you definitely pay a premium for cisco equipment.  but yeah, you use crossover cables when you don't have 'uplink' ports.


----------



## MDLarson (Nov 19, 2004)

Well, this is all well and good and I think I'm learning the basics of "enterprise" networking...  But I need to know what to buy!   

The appliance firewall thing looks like it's pretty much plug-n-play, but I have no idea how to configure it or what to look for in buying one.  They appear to range from $500 to several thousand bucks.  Can somebody recommend a relatively inexpensive rack-mountable firewall?  And here's another question:  why can't my cable / DSL modem handle the firewall functionality by itself?  Is the security not as strong as a dedicated piece of equipment?

I am starting to think that we will definately need a dedicated server for FileMaker Server, general file serving and stuff like that.  I would like to know if I am being realistic in my plans for doing some or all of our own website hosting.  (The max. upload speed from Comcast, our would-be local cable provider, is 384 kbpsI doubt this is "industrial strength" by any means, but it might suffice...)

I sort of feel like I'm asking people to do the research for me, but I mostly want reassurance that I'm making good decisions.


----------



## onegoodpenguin (Nov 19, 2004)

you mentioned earlier that you want to have remotely accessible video feeds for pet owners who wish to view the kennels... well, low-speed consumer broadband won't scale very well to meet that demand.  take a look at business DSL services if you're frightened by the cost of a T1 subscription.  you can probably get 1.5 d/u for around 100 bucks a month.

as for appliance firewalls, i didn't really agree with the criteria for selecting one over a linux box.  find a buddy who's knowledgeable in that area (or better yet, get your hands dirty), and throw him a 2 year-old PC and a few hundred bucks to make it work.  in my opinion, that's a better value than any black box will get you, and you'll end up with a machine that could have additional functions.  you can get a used Dell PowerEdge server on ebay for surprisingly cheap (we're talking 4 processor Pentium for systems for a few hundred dollars), throw some hard drives in there, and run 10 different services on that box.  and if you're concerned that you're going against wanting to be a mac-only facility, look at it like this: a dedicated appliance isn't a mac either.

i just scrolled up and noticed that another seemingly-knowledgeable person responded with a linux suggestion as well.  i'd give it some thought...


----------



## MDLarson (Mar 1, 2005)

Ahh... progress.  Groundbreaking was last week!

*Internet*
I'm thinking T1 is definitely the way to go.  Stupid phone companies won't give out phone quotes... they always want to come in and meet face to face to push a contract, so I'll have to deal with that.

*VPN Stuff*
The latest issue I'm trying to work out is a VPN connection.  I understand that most (if not all?) VPN *clients* are free, but the servers are either hardware based or run on Windows or Linux.  Mac OS X Server 10.3 appears to have a VPN server built-in, so that would be nice.

I don't think I can justify an XServe quite yet, so what can I do in the mean-time?  We already have two locations we want linked together, so should I just find some VPN server software to run on Windows?  Do I need servers at both locations to have the freedom to tap into each network from each location?  Can FileMaker Server run on a VPN network?

*Card printing*
I'm getting closer to getting my hands on a card printer.  Apparently there's only one card printer that works with the Mac on the market today, and even then it's a limited, stripped down version with only the driver available (no special stand-alone software to run with it).  It's called the Pebble, made by Evolis.  I'm pretty sure it will work for what I'm planning - but I'm wondering if anybody has made a solution in FileMaker or has experience with the printer.  One of my goals is to use an iSight mounted on a SightFlex for direct input into FileMaker (somehow!), and then with the push of a button, print it out to the card printer for an instant "Pet ID".

If I'm getting anybody's brain going for ideas, I'd love to hear them.  And of course, here's the website if you want to check us out!


----------



## scruffy (Mar 2, 2005)

A bit more on the firewall question - Your firewall will need to be kept up to date no matter what.  The "appliances" are just computers that you're not meant to tamper with.  Some use custom configured versions of standard OS's like Linux or FreeBSD; others use entirely proprietary OS's, like the PIX firewalls from Cisco.

Many firewalls will serve as perfectly good VPN servers as well.  Cisco PIX firewalls will also do this, as will Checkpoint's firewall product (godawful expensive, endless licensing headaches - not worth it for a small company), and probably a bunch more will also.

One potential problem with appliance type firewalls is, if you want more than two interfaces, you often have to go a couple of rungs up the price scale.  You end up paying for a firewall with way more features and power than you need, just so you can segment your network into, say, three segments (internal servers, public servers, desktops)...

Not that I'm trying to talk you out of getting an appliance firewall - there are some very good ones out there, to be sure.

For the VPN - are you trying to let users with laptops or home computers connect in from random locations, or are you after making a single site to site tunnel so that users in each location can connect to servers in the other?  Or is it both, for that matter?  Your needs will depend somewhat on what exactly you're trying to achieve - although any VPN server should be able to do what you need.

If you don't want to spring for an XServe (understandable), one option might be to install OS X server on a PowerMac.  You won't get all the server-y goodness like redundant power supplies, or a rackmount case, but it should be able to do everything you need.

Filemaker should run fine over a VPN connection - that's the point, you can have a local IP address, with full access, just as if you were on the same LAN.


----------



## MDLarson (Mar 3, 2005)

About the firewall... I _think_ I understand the issues surrounding that item.  Unless another easy possibility presents itself, I am planning on pushing for an 1U appliance firewall of some sort.  My need is primarily to tie 3 LANs together into one BIG LAN.  That would be a permanent configuration.  Connecting from a laptop on the road would be handy, but not as important.

I think my main question is, should I use the VPN server in this firewall / VPN appliance, or is the XServe's VPN adequate?  I _think_ an XServe would really suit our needs well, but I need to be convinced of that fact.

I have a meeting today about this stuff, and my dad is much more willing to do the minimum and lowest cost option to get a VPN connection up and running, while I tend to look at the long-term needs and an XServe appears to fit very well for a lot of things we eventually plan on doing.


----------



## Aeronyth (Mar 3, 2005)

Hhaha, crazy..I live in Blaine and I recall seeing a sign for that somewhere...is it on Radisson Road?


----------



## MDLarson (Mar 3, 2005)

Aeronyth said:
			
		

> Hhaha, crazy..I live in Blaine and I recall seeing a sign for that somewhere...is it on Radisson Road?


Heh, that's awesome!  Yep, it's right on Radisson Road there by the airport.  You probably saw this sign, right?  I made that sign too, although in retrospect, there's too many words for people zipping by at 40 MPH to really notice and read anything other than "COMING SOON!"

It warms my heart that a fellow MacOSX.com'er knows about us!


----------



## Aeronyth (Mar 3, 2005)

That's the sign!  And that's also about..1.5 miles from my house.  All I remembered seeing on the sign was something about Pet Lodge, heh.


----------



## scruffy (Mar 3, 2005)

Either one would likely work well.

Separating the VPN function from the firewall can be nice from a performance point of view - If one is getting bogged down, it needn't affect the other.  That said, for a small company like this, if you get a $800 - 1000 firewall appliance, you will have more than enough horsepower to last you a long time, even if it's doing VPN duty as well as firewall.  Your remote sites could possibly get by with much less powerful devices, perhaps under $300.

An advantage of some of the appliance boxes is that they either have, or can be expanded later to have, VPN accelerator cards - the encryption work is pushed from the firewall's processor onto some dedicated hardware.  That way, having lots of VPN traffic leaves the firewall's CPU largely free.  You might want to look at firewall boxes that offer that capacity, and consider the eventual expense of the card, should you decide you need one later.

Using the VPN on the firewall lets you apply firewall rules to the decrypted traffic.  If you have a VPN server inside the firewall, you can't really inspect the traffic as it passes the firewall (that being the point of a VPN, that the encrypted traffic can't be examined).  If you want to do some filtering of that traffic, you have to apply those rules with the VPN server's software firewall - this amounts to having two firewalls to look after, rather than just one.  Most likely that would mean learning to configure two different types of firewalls, as well.

Tying together a few LANs into one is the easier thing to accomplish - user authentication is basically a separate operation.  So, that's pretty simple to do with the VPN software on the firewall.  Laptops are a bit more of an issue - you have to authenticate both the computer on the other end, and the user, at once.  That can get a bit more complicated, and by that point it might become easier to use a dedicated server.

I've never really looked into doing this sort of thing on the cheap, and based on appliance firewalls, so it might actually not really be that hard...


----------



## dmacguru (Mar 7, 2005)

MDLarson said:
			
		

> Still looking for a cheap PoE-enabled network IP camera for SecuritySpy!
> 
> 
> 
> ...


----------



## MDLarson (Mar 7, 2005)

Sweet, somebody responded to my signature plea!  

I have a similar setup spec'd out (D-Link's cheapo IP camera + D-Link's stand-alone splitter + a 3com PoE enabled 24 port switch).  It's good to see what other equipment works too... this video stuff is one of the more exciting mini-projects of the 'grand' project. 

I'll have to check out the D-Link switches... I'm not too fond of 3com's web interface... does anybody have any experience with D-Link switches in this respect?

On a side-note, a sales rep is dropping off that Pebble card printer tomorrow!  I'll probably post a review in that new Reviews forum soon.


----------



## MDLarson (Mar 31, 2005)

I just placed an order for the Xserve G5 2.0 GHz single processor + video card!

The catalyst for this was the VPN server in Mac OS X Server.  This will give me the opportunity to get our WAN going as well as play with the other features we would probably be using.

I guess right now I view an additional hardware firewall / VPN server as an optional piece of equipment.  I am expecting the Xserve to accomodate our VPN needs at the moment, so we'll see.

The only question I have now is, would I be eligible to get the 10.4 Tiger server at a discount?  Is the server version of Tiger coming out at the same time as the regular version?


----------

