The Grand Project - Suggestions, please!

MDLarson

MDLarson

Registered
My dad is planning on opening up a new cat & dog boarding kennel called Stone Mountain Pet Lodge. It will be located in Blaine, MN and will open sometime in mid-2005. It will be one of the nation's premier pet kennels!

We are planning on making it an all-Mac operation, starting with a FileMaker based point-of-sale system using iMac G5s. There will be 4 of them at the front desk. Here's a thread about my POS questions.

Next, we're going to be utilizing around 30 "network IP" cameras throughout the facility and manage the video feeds via SecuritySpy (Mac-only) software, which has awesome 5 star reviews on VersionTracker. I haven't decided on cameras, but I am looking for inexpensive (less than $200) Power over Ethernet (PoE) enabled network cameras. I don't want wireless cameras. I'm thinking the computer that will process and record video on will either be a Power Mac G5 or an XServe, but I have yet to investigate exactly what I want to do with that.

The idea with the cameras (besides general surveillance) is that pet owners can pay extra to secure a kennel with a video camera and they will be given a password to access a live web-feed of their pet. I'm sure it can be done, I just don't know exactly what that will look like. (For instance, I think the best way to do this is to secure a static IP address from our ISP and do our own website hosting / video streaming... help on this would be great!)

We need a phone system, and VoIP appears to be the way to go, especially for new construction. 3Com has a new IP telephony device that I will be looking at, with the idea that phones will be plugged into a standard RJ-45 jack that goes back to our central rack server area.

We will have a few offices to fill with computers, and iMac G5s will probably be the ticket. I am also thinking of sticking an AirPort Extreme base station on the ceiling of the lobby area to allow customers to hop on the internet while they hang out. I've read that the ideal location for a wireless access point is on the ceiling, and I think it'd be funny to look up and see the little white UFO blinking away. :)

And on a final boring note we are planning on getting a copy of QuickBooks 2005 for Mac. I've read some horrible reviews of previous versions of QuickBooks and I'd be keenly interested in Mac QuickBooks users' advice.

*****

So, I plan on updating this thread as we make progress (and secure funding), and I hope to hear from all of you regarding opinions, advice, whatever. It's no Virginia Tech supercomputer, but it's pretty exciting for us!
 
My first question would be regarding Power over Ethernet or "Active Network". This is pretty critical for the network camera we are planning on, as each camera would otherwise require an external AC adapter, which would require that we run standard power outlets to EACH camera location. With PoE, we can simply run a Cat5 cable to the camera location and plug a PoE network camera in.

The way this works is with "injectors," or inline power supplies that insert a certain voltage into the Cat5 cable. I want to know if I can simply enable ALL ports on my 48 port switch to carry the voltage, or if this must be done for each individual camera line.
 
Since you're building from ground up, it wouldn't be too much more work to install power outlets at each camera site. You'll be doing a lot of wiring anyway.
Then you won't have to worry about injectors, power supplies. That would be my choice.
The cameras wouldn't use much amperage, so individual lines/breakers to each camera wouldn't be necessary.
 
bobw, the thing I want to avoid is extra cost and extra hassle. I'm not particularly fond of having 30 injectors all strapped to my ethernet switch, but I'm sure even that solution is more cost effective than running 110V power to each site. Not to mention the problem of running ethernet line parallel to power conduits. That doesn't work very swell due to interference.

If I go with a PoE solution, I have a good chance of reducing complexity and increasing flexibility (i.e., running a Cat5 cable wherever a camera needs to go, as opposed to running Cat5 AND power.)

I found a 24 port "midspan" (the picture shows a 48 port - that would be nice) that injects power the way I want it.

I also found an enterprising IT tech who made his own multi-port injector from a patch panel.

I really think PoE is the way to go. Of course there's PowerLine, where you transfer data over standard power wire, but I don't know much about that.
 
Sounds like a very interesting project.

I used to work in tech support for Intuit - on Quicktax, not Quickbooks, but I think I got a bit of an overall impression. I wish I could recommend that you use their software on a Mac, but I just can't - at least for Quicktax, the whole Mac product was very much an afterthought - not the sort of product I would trust my finances to at all.

From a security perspective, I would suggest you segregate the different functions as much as possible - don't put VoIP devices on the same networks as desktops - the networks might share the same internet connection, but put them on different firewall interfaces, and don't let anything cross between those two networks. You don't control that equipment, and manufacturers of "not really a computer"-type network devices tend to have very questionable security records.

Think very carefully about wireless - it can be one of the biggest security headaches if it's done wrong, and it can be a lot of overhead to do it right. If you do decide to go with wireless, definitely put it on a different firewall interface from any business related systems, and consider any traffic coming from it as being as potentially unfriendly as stuff from the internet at large.

Speaking of firewalls, I'd recommend looking to something other than a Mac for that job. The OS X kernel firewall is decent as a host firewall, which you'll probably want to turn on on your internal hosts, but it's not really up to the job of being a business's gateway firewall.

I'm learning about Cisco PIX firewalls just at the moment, so of course I'm all excited about those, but they do cost a pretty penny. Netfilter, The Linux kernel firewall, is really quite good also; you might simply want to go with a very minimal Linux install, with however many interfaces you need.

There is an open source GUI called firewall builder http://www.fwbuilder.org/ that will run on OS X, Linux, and Windows (Windows and OS X binaries cost a little, if you don't want to be bothered with X11 and fink), and will generate firewall scripts for Linux, FreeBSD, OS X, OpenBSD and PIX firewalls. It has some nice features like revision control and such... Might be something to look into to make your life a bit easier.
 
Correction to the above

OS X native binary is 50 bucks if you don't care to compile it yourself. Whether you go from source, or spring for the binary, it'll do firewall rulesets for Linux, OpenBSD, FreeBSD, OS X, and Solaris.

the PIX firewall rule generating module is 500 bucks, which includes a license for the Mac binary - so, not so cheap anymore. But if you were going to buy a PIX anyway, maybe not really all that terrible...
 
Eh? Security? :) I know nothing about firewalls, except that the Windows XP SP2 installed one by default and turned everything off and made life miserable for me for a short time.

Are we talking about a separate linux based PC that sits between our internet connection and our ethernet switch? I've never worked with Linux or anything like that.

As far as the wireless hotspot goes, I knew I had to limit access only to the internet, but again, I'm not very familiar with security issues.

I am hoping that QuickBooks Pro 2005 is OK. I found this table that details the improvements this time around, and as far as I can tell it solves QB Pro 6 users' complaints.
 
Yes, you'd want a dedicated firewall - a system that does nothing except be a firewall, sitting between your internet connection, and your internal network or networks. And, I would recommend that you have several internal networks - one for desktops; one for VoIP devices; if you're running publicly accessible servers, one for them; if you go with wireless, strongly consider a separate network for that. Depending on what you eventually decide to do with the cameras - internal security feeds only vs. owners getting to check on their pets, etc. - you might want to put them on your internal network, or on your public server network, or maybe yet another separate one. Depends on your needs, right?

There are some issues with using different vlans on the same switch for segregating networks - google for "vlan hopping" - it depends very much on the make of your switch how grave that might be. Probably the most comprehensive security vulnerability database is bugtraq http://www.securityfocus.com/bid you might want to check for known vulnerabilities on your switch before buying, or at least when considering how to lay out the network - i.e. how much faith to put into the switch's ability to segregate networks via vlans.

Whatever you do, don't put your internet connection onto a vlan on the ethernet switch that also houses internal networks.

The balance between how much time you want to spend configuring the thing, vs how much money you're willing to put into it, gives you different options.

For a relatively large investment of time and little money, you could go with a PC running Linux, OpenBSD, or a similar free OS, with 2-5 network cards to segregate the different networks. I'd recommend Linux, since the Linux firewall deals rather better with multi-port protocols like ftp.
Since it wouldn't be a desktop, it wouldn't need to have anything interesting in the way of a graphics card; you probably wouldn't even want to install X windows at all.

For more money and less time, you could get an 'appliance' type firewall, from Cisco or a similar vendor. Basically that's just a computer that's optimized for the job of being a firewall - very minimal OS, fast networking hardware, no graphics or anything unneccessary. Some of those use free OS's, others use proprietary ones (the Cisco boxes run a proprietary OS)
 
sounds like you might be playing with enough money to justify a powered switch. check out the cisco 3750 (if my memory serves me correctly), which i believe is a 24-port model. the vlan suggestion was a good one--in my opinion they are necessary in that type of environment.
 
This is proving to be stressful on my brain, but I'm glad I'm doing it now, several months ahead of actual implementation!

I Googled for vlan hopping and found this page describing lots of neat info that I'm not too familar with. I will read into it more.

However, I think I have spec'd out a solution that will ease security concerns, namely buying multiple switches and keeping the networks segregated. I have to do that anyway since I can't find a PoE switch over 24 ports anyway. So, each switch would be acting as a DHCP server? I could have 3 networks:
Network 1: 10.1.0.XXX
Network 2: 10.2.0.XXX
Network 3: 10.3.0.XXX (if we were to buy another 24 port PoE switch, 3Com says you can stack them into a virtual switch or something)

I put together a network diagram with what I think is going on. Tell me what's wrong and where, and anything else you want to tell me. :)

The XServe is a guess. I want to run our own webserver (is this a bad idea?) and FileMaker Server. Also, I'm wondering about VPN access; what should I do for that?

p.s. penguin, I have spec'd out a 3Com 24 port powered switch. I'll take a look at the Cisco one though.
 

Attachments

  • Network-Diagram.jpg
    Network-Diagram.jpg
    56 KB · Views: 24
An update on the Point of Sale situation: I looked at a FileMaker 6 based solution called Shopkeeper distributed by POSDirect, and it didn't look too good, interface-wise.

Further searching brought me to a FileMaker 7 based solution called PayGo POS by Christian James.

And sadly, QuickBooks Point of Sale 4.0 is still in the running for a Windows based system. I DON'T WANT TO USE WINDOWS!!!!!

We are going to get a live demo of the PayGo stuff Monday morning so we'll see how that goes.
 
About the firewall: I'd get a hardware solution, not a computer in need of software support. There's nothing worse than a firewall which would finally act as a main door into your local network. And that's exactly what would happen if that linux server would ever be hacked. Suddenly, a strange user would have access to your other computers as a user of your _local_ network. Get a contractor to install and setup a dedicated firewall.
 
onegoodpenguin said:
sounds like you might be playing with enough money to justify a powered switch. check out the cisco 3750 (if my memory serves me correctly), which i believe is a 24-port model. the vlan suggestion was a good one--in my opinion they are necessary in that type of environment.
Click to expand...
I did a MacMall.com search for Cisco 3750 and it returned 20 results, ranging from $710 to $10,759... I think the one that we'd get out of that list would be the "Catalyst 3750 24PS 24 10/100 + 2 SFP Standard POE Switch", but that goes for $3,300, twice the price of the 3Com switch I have currently spec'd out. The only obvious difference between the two (that I can see) is the two "SFP" ports. Are these the uplink ports used for hooking switches together?

I realize the 24 port powered switches I have to not have uplink ports on them. Should they have them? How am I going to connect my switches together? (Keeping in mind the security of keeping networks separate...)
 
Well, this is all well and good and I think I'm learning the basics of "enterprise" networking... But I need to know what to buy! :)

The appliance firewall thing looks like it's pretty much plug-n-play, but I have no idea how to configure it or what to look for in buying one. They appear to range from $500 to several thousand bucks. Can somebody recommend a relatively inexpensive rack-mountable firewall? And here's another question: why can't my cable / DSL modem handle the firewall functionality by itself? Is the security not as strong as a dedicated piece of equipment?

I am starting to think that we will definately need a dedicated server for FileMaker Server, general file serving and stuff like that. I would like to know if I am being realistic in my plans for doing some or all of our own website hosting. (The max. upload speed from Comcast, our would-be local cable provider, is 384 kbps—I doubt this is "industrial strength" by any means, but it might suffice...)

I sort of feel like I'm asking people to do the research for me, but I mostly want reassurance that I'm making good decisions. :)
 
you mentioned earlier that you want to have remotely accessible video feeds for pet owners who wish to view the kennels... well, low-speed consumer broadband won't scale very well to meet that demand. take a look at business DSL services if you're frightened by the cost of a T1 subscription. you can probably get 1.5 d/u for around 100 bucks a month.

as for appliance firewalls, i didn't really agree with the criteria for selecting one over a linux box. find a buddy who's knowledgeable in that area (or better yet, get your hands dirty), and throw him a 2 year-old PC and a few hundred bucks to make it work. in my opinion, that's a better value than any black box will get you, and you'll end up with a machine that could have additional functions. you can get a used Dell PowerEdge server on ebay for surprisingly cheap (we're talking 4 processor Pentium for systems for a few hundred dollars), throw some hard drives in there, and run 10 different services on that box. and if you're concerned that you're going against wanting to be a mac-only facility, look at it like this: a dedicated appliance isn't a mac either.

i just scrolled up and noticed that another seemingly-knowledgeable person responded with a linux suggestion as well. i'd give it some thought...
 
Ahh... progress. Groundbreaking was last week!

Internet
I'm thinking T1 is definitely the way to go. Stupid phone companies won't give out phone quotes... they always want to come in and meet face to face to push a contract, so I'll have to deal with that.

VPN Stuff
The latest issue I'm trying to work out is a VPN connection. I understand that most (if not all?) VPN clients are free, but the servers are either hardware based or run on Windows or Linux. Mac OS X Server 10.3 appears to have a VPN server built-in, so that would be nice.

I don't think I can justify an XServe quite yet, so what can I do in the mean-time? We already have two locations we want linked together, so should I just find some VPN server software to run on Windows? Do I need servers at both locations to have the freedom to tap into each network from each location? Can FileMaker Server run on a VPN network?

Card printing
I'm getting closer to getting my hands on a card printer. Apparently there's only one card printer that works with the Mac on the market today, and even then it's a limited, stripped down version with only the driver available (no special stand-alone software to run with it). It's called the Pebble, made by Evolis. I'm pretty sure it will work for what I'm planning - but I'm wondering if anybody has made a solution in FileMaker or has experience with the printer. One of my goals is to use an iSight mounted on a SightFlex for direct input into FileMaker (somehow!), and then with the push of a button, print it out to the card printer for an instant "Pet ID".

If I'm getting anybody's brain going for ideas, I'd love to hear them. And of course, here's the website if you want to check us out! :D
 
A bit more on the firewall question - Your firewall will need to be kept up to date no matter what. The "appliances" are just computers that you're not meant to tamper with. Some use custom configured versions of standard OS's like Linux or FreeBSD; others use entirely proprietary OS's, like the PIX firewalls from Cisco.

Many firewalls will serve as perfectly good VPN servers as well. Cisco PIX firewalls will also do this, as will Checkpoint's firewall product (godawful expensive, endless licensing headaches - not worth it for a small company), and probably a bunch more will also.

One potential problem with appliance type firewalls is, if you want more than two interfaces, you often have to go a couple of rungs up the price scale. You end up paying for a firewall with way more features and power than you need, just so you can segment your network into, say, three segments (internal servers, public servers, desktops)...

Not that I'm trying to talk you out of getting an appliance firewall - there are some very good ones out there, to be sure.

For the VPN - are you trying to let users with laptops or home computers connect in from random locations, or are you after making a single site to site tunnel so that users in each location can connect to servers in the other? Or is it both, for that matter? Your needs will depend somewhat on what exactly you're trying to achieve - although any VPN server should be able to do what you need.

If you don't want to spring for an XServe (understandable), one option might be to install OS X server on a PowerMac. You won't get all the server-y goodness like redundant power supplies, or a rackmount case, but it should be able to do everything you need.

Filemaker should run fine over a VPN connection - that's the point, you can have a local IP address, with full access, just as if you were on the same LAN.
 
About the firewall... I think I understand the issues surrounding that item. Unless another easy possibility presents itself, I am planning on pushing for an 1U appliance firewall of some sort. My need is primarily to tie 3 LANs together into one BIG LAN. That would be a permanent configuration. Connecting from a laptop on the road would be handy, but not as important.

I think my main question is, should I use the VPN server in this firewall / VPN appliance, or is the XServe's VPN adequate? I think an XServe would really suit our needs well, but I need to be convinced of that fact.

I have a meeting today about this stuff, and my dad is much more willing to do the minimum and lowest cost option to get a VPN connection up and running, while I tend to look at the long-term needs and an XServe appears to fit very well for a lot of things we eventually plan on doing.
 
You must log in or register to reply here.
Back
Top