How Do You Evaluate a Bid from area IT/MSP

Although I love technology, free and open source solutions, and enjoy my Linux homelab, I feel that I need an IT/MSP to assist me in setting up a solution for the small private school where I work in a teacher/“IT/tech guy” roll. I’m concerned that my love of FOSS and this IT/MSP unfamiliarity with FOSS may make it hard to evaluate a bid from them in the proper light.

I met with the head of their IT and Networking division of a local IT/MSP who walked our buildings and talked through what I would like solutions for:

  • Replacement of 10 year old 5 camera security system currently running into a digital recording deck. CAT 5 is running to each of the current cameras and then ends are converted to COAX to go into the digital recorder.
  • Better wifi coverage in 4 classrooms and 2 larger gathering areas that are currently covered by the Comcast Business Router with builtin wifi and two additional Unifi AP Long Distance Units (one covering two classrooms and one covering one of the larger gathering areas). CAT 5 is running to all 4 classrooms and one of the large gathering areas.
  • 3 New Windows Laptops for Staff, 2 New Chromebooks for Staff, 18 New Chromebooks for Students
  • A backup solution for the 6 staff computers (2 of which will be Chromebooks)
  • I would like all of the Chromebooks and all of the staff to be setup on Google for Edu or Non-Profit which was left to former staff members and never completed.
  • A better router solution than using the current Comcast Router
  • A better filtering solution than our current one.

Because of my lack of knowledge in the IT/MSP space, I’m unsure if I will be able to distinguish the benefit verse cost of his recommendations. Additionally, I felt uncomfortable over the following:

  • When I mentioned adding a PiHole to the network to do filtering, he didn’t express any love for that idea, and mentioned some sort of remote filtering solution would be better with few details at this point.
  • When I asked about recommendations for backup solutions, he mentioned that he would recommend an offsite remote managed system called Drive Sync with nothing local like a NAS because it can be corrupted by ransom ware and it can have drive failures (we are talking about a backup solution for 4 windows laptops and 2 Chromebooks).
  • Also when we talked about backup solutions he asked if everyone was using Google Suite or MS 365. When I mentioned that we use some Google Suite and 3 of us use LibreOffice for more complex documents, he didn’t know what LibreOffice was and didn’t seem to have a very high opinion of FOSS solutions.
  • He recommended that we solve the camera need and wifi need by adding a Unifi Cloud Key Plus and their cameras and a few more Unifi AP’s which sounded reasonable.

I don’t want my love of FOSS to color my view of the services of this local IT/MSP, but at the same time I would like to see some FOSS solutions when they make sense. I did ask him to give my two separate quotes, one of the install of the network upgrades, and one with that included a monthly cost providing remote managed services. Of course, he spoke at length of the advantages of just considering the remote managed services option, but I’m afraid it will be financially out of our reach to have $100’s going each month to them to ensure that 4 laptops stay upgraded and backed up, and to check on connection issues that arise from the unifi equipment. At the same time this business has done a nice job in addressing our copying/printing needs in the past, and they expanded their business a 3-4 years ago to include IT and MSP.

Assuming you need to comply with CIPA, I wouldn’t trust PiHole to handle this. I’m not sure what your firewall is aside the mentioned Comcast router, but you could look at either a cloud DNS provider like Quad9 or a new firewall such as Untangle which would also yield you application control.

I don’t think you need to go something high end like a Fortigate.

Offsite could be the way to go, Synology has backup solutions for desktops, laptops, VMs, and Gsuite. You could also roll this yourself with Backblaze if you want offsite.

Could be concerning depending on how the conversation went. I’m not concerned they didn’t know it, MS Office has been the defacto long enough that the FOSS alternatives have fallen off the radar for many people.

Protect is fine, depending on how many cameras you need, you may want to do a UNVR for some extra expansion.

Synology also has a solution for this. I don’t know that I’d use any of the FOSS systems I’ve seen.


Having worked K12:

  • Let them run the cable and replace cameras
  • Unifi APs seem fine
  • Chromebooks should absolutely be connected to a Google Workspace system
  • You could roll your own backup with backblaze / Synology depending how crucial the information is and if you have the confidence to set up the system
  • Put something like unTangle in place which could handle the firewall duties and filtering

__

It would likely be worth while to reach out to other companies as well to get a feel for the area.

1 Like

Thank you @gsrfan01, this was very helpful. I think I got more out of your post than I got from my hour meeting the other day. On the basis of your thoughts, I plan to do the following:

  • With this added understanding, I will evaluate the bid the comes in from the local IT/MSP.
  • I will reach out to at least one other local IT/MSP for a bid.
  • Looking into Untangle for the filtering solution. It looks like you can put it on a desktop computer with two NIC’s. It also looks you pay a yearly fee based upon how many licensed devices you have. Since I have a mix of Chromebooks and staff computers would the licensed devices have to include each Chromebook and each staff computer, but I wouldn’t have to license every cell phone that jumps onto our wifi from someone that is just visiting our campus and needs a connection to the internet?
  • Are there other filtering solutions you would consider for a K12?
  • The Unifi Cloudkey Plus will be managing 5 cameras and then we will be looking to connect our Unifi AP’s as well and manage them.
  • I like your idea of rolling a Backblaze solution, that was an excellent suggestion. I still might consider a Synology too, I had suggested that to the rep but he didn’t like the idea of a local NAS at all.
  • Currently, we just have the Comcast Router as our firewall and DNS, from what you mention I could at least increase some of our security by using Quad9 as our DNS provider. I will look into that as well.

If memory serves, untangle is licensed based on the number of IPs connected at a single time, so that would include your guest wifi. Their licensing for non-profits and private schools seems pretty generous, 100 devices is $1,134 / year which has all of their add-ons including application and web filtering.

It may be worth reaching out to their sales or Tom to get something quoted.

Their Z6 rack mount unit + 1 year of software would be $2,333 which, while expensive, would be a robust solution.

I ran it on a 1U Supermicro box, old Dell R320/420 servers I’ve also had good experience with. Try to get Intel NICs if you roll your own box.

You could use DNS filtering, which could be forced on managed devices such as Windows and your Chromebooks, Tom has an overview here: DNS Malware Filtering Compared: Quad9 VS Cloudflare VS DNS Filter VS OpenDNS / Cisco Umbrella - YouTube

Downside being if the kids can change the DNS servers on their phones or devices, they’d bypass your filtering.

A friend who works at another district uses Content Keeper at the moment: https://www.contentkeeper.com, though I’m not sure on their pricing.

You could utilize both. Use Synology’s Active Backup to store the data on the NAS locally, then send that data up to Backblaze or Wasabi for immutable cloud storage. That would satisfy the 3-2-1 rule pretty well also. Live data, Synology, and Cloud, with 2 different medias. You could add rotated external hard drives if you want a “cold” tier also.

This is more or a philosophical reply rather than specific recommendations but as you say that you are the local IT guy and that you won’t be able to pay for ongoing msp services, it’s important to use and keep solutions that you know how to manage and keep updated and secure.

Otherwise prepare to keep money set aside for break/fix issues when they arise.

As for running untangle on an old desktop with 2 network cards I can vouch that that is a very valid way to do it. Probably not ideal for lots of reasons but if the cpu has AES-NI support you can even to some openvpn stuff (which is astoundingly easy to configure by the way, at least on Windows). Untangle also sells their own hardware which I can’t vouch for but which I am sure they would be much happier to support.

And I feel you about wanting to use Foss as much as possible especially in non-profit and educational settings. It philosophically seems the right thing to do.

I always have to ask myself if doing it Foss is costing more time and effort (and theoretical dollars) than a competing commercial solution. Often it is, but sometimes the knowledge exchange or lack of is worth more than the time it would take to learn and support something yourself plus the potential liability, legal or just everyone being mad at you if something goes sideways.

1 Like

Always a big fan of FOSS and try to use it where I can. K12 is a hard place to be, you often have enterprise requirements without enterprise funding. The district I was in had ~800 staff and ~2600 students. We leveraged free / FOSS software everywhere we could.

Hypervisor? Hyper-V is included with our Microsoft EA, we’ll use that.
Helpdesk? Spiceworks is free
Digital Signage? Let’s use Xibo and build some NUCs
Need cameras? We’ll build a Unifi Video (RIP!) server for each building
Need WiFi? Unifi is fine
New servers? eh, every 7 years is what we can make do with, should be fine.

So much needed to be done but with little money. I’m amazed half of it runs as well as it did.

A few quick thoughts -

  • Cameras - Milestone Essential license gives you 8 free cameras and a very robust system. It is a bit complex to configure, but very high level of functionality for no cost. Milestone only runs on Windows though. I also like Exacqvision with Entry licenses for around $50/camera and has good functionality and is very robust. ExacqVision server can be run on Ubuntu - which I really like. I have never used the Unifi cameras.
  • Content filtering - PiHole would be very easy to bypass. The only effecive way to content filter is going to require a paid service. I was just turned on to an interesting approach from LucidView.net from another post that looks really interesting, but I haven’t really dug into it yet.
  • Of everything in your post - the thing that set off alarm bells to me was the push for an exclusively cloud based backup solution. That is an awful idea IMHO. Per gsrfan01 - I would do a combination of Synlogy Active Backup for Business locally and a cloud backup. The problem with cloud only is that there is just no way around having to download hundreds of gigs of backup data if you needed to restore multiple devices due to a ransomware or similar attack. It could take hours and hours just to pull the data back. In my opinion, cloud backup should be your DR solution - not your only solution.
1 Like

Thanks @xyguy and @gsrfan01 both of you have made some excellent points. This is a very small non-profit private school that serves 66 kids with 4 full time teachers, a very part time admin assistant, and 2 additional part time teachers, and yes the money comes from very low tuition rates and mostly kind donations so finances are always tight, but the students we serve do very well and it is worth the effort to keep the costs low.

I do see your point about commercial verse FOSS (with FOSS often needing the hidden cost of time to manage and maintain). I think thanks to the grant that we can probably afford the Untangle z6, it is the building an extra $1134 into the yearly budget that gives me the most pause. Going with more commercial options would enable me to leave and go somewhere else with the confidence of knowing that they could get support from local IT/MSP businesses and not depend on my FOSS knowledge.

Thanks @davesn for your suggestions, you gave me a few new things to look into as well.

I think you made a very good point about the backup solution. When I brought it up to the IT representative, he told me the story that he doesn’t like NAS solutions because he had a client that opened up everyone’s computers and shared space on the NAS to everyone in the business so everyone had access to everyone’s documents all the time. Ransomware got onto one of the computers, and spread to every other computer and the NAS as well, so the only way to restore was from the cloud backup solution that he installed.

I was surprised to hear this, because I didn’t think that ransomware can corrupt all of your incremental backups on a NAS, but perhaps that can happen as well. I would dread downloading our full backup and not having a local option to pull from, but at the same time our data backup needs probably hover around 400 GiB right now with our current staff and the documents and media they desire to keep.

Well, that is an idiotic story - I would possibly run far away just based on that alone. The NAS backup is an appliance - you run an agent on the machines and the NAS initiates a pull backup from the PC via the agent. The NAS need not have any CIFS/SMB shares available at all. Using a NAS as a fileserver and using a NAS as a backup appliance are completely different things.

1 Like

The LucidView.net product is really very interesting in terms of providing a low-cost, but possibly very high quality and difficult to bypass content filtering (and IPS) solution. But - it does require a high level of technical knowledge to set up and I have not personally tested it fully - I just learned about it a few days ago.

Couple of things that stuck out to me, not from the MSP space so I could be wrong here but:

  • He’s missing a cross-sell opportunity. I don’t see why they wouldn’t sell you a NAS and charge time and materials to set it up. Seems like an easy few hour job and Synologies aren’t complex things.
  • This reeks of “Someone used something I didn’t set up and it was crap, I saved the day”

Not a huge fan of that way of doing things.

I’ve used Barracuda Web Security Gateways in the past, street pricing for the appliance (WSG210)and 5 years of support is $5,728.95 or $1,145.79 per year.

ZenArmor which runs on OPNsense is a possible alternative: True Content, Web and Malware Filtering at School Budgets!

Also look into pf-Sense firewall/router with pf-blocker for filtering has both free and paid block lists, your choice. Go with the Synology for local backup but please encrypt the BU s. Synology has a very good camera DVR solution that includes 2 or 4 free licenses you pick the cameras. Set up an Open VPN for remote management on the pf-Sense firewall. From what I see on Tom’s videos Symology has very good support. For offsite BU you can’t go wrong with Backblaze. Keep it simple don’t over complicate remember budget.

2 Likes

Thanks @g-aitc
I didn’t know that pf-Sense had a filtering option, good to know. Would you recommend specific hardware for pf-Sense or is that a build yourself option? I’m thinking it might be a nice idea to get hardware that is known to work well with pf-Sense rather than piece something together myself.

Actually, what you described is what I had specked out in my head before I spoke to the IT/MSP representative. I’m planning to meet with a different local IT/MSP next week, and I will see what they have to say.

I definitely, think that we want to hire the wiring and set up to be done professionally, and I’m hoping we can go with a simple enough solutions that have good customer support that I can manage it without a large time investment, and then if I leave they can hire it to be managed remotely.

Run pfsense on a Netgate device, but be aware that setting up appropriate filtering takes some time and attention. pfsense is very powerful, but the learning curve is non-trivial. By the time you have Snort and PfblockerNG running appropriately you will have invested many hours. Deciding what to block is non-trivial. Even the instructions for routing all DNS queries to the provider of your choice require some expertise.

As to your original question – ask yourself whether the person you met with was someone you would hire or have as a close friend. When you outsource the kinds of needs you itemized, you will be seeing far too much of that person or the people who work for him/her. Did you feel like you and your school could rely upon them? If you weren’t really comfortable, choose another supplier. You’re getting married to them!

Free blocklists on PFBlocker-NG work really well.

You will also need to create a rule that forces all DNS inquiries back to the PFSense instance. Same with Untangle should you go that route. Really easy to manage once you have them set up. The forums are great, and full of info, and YouTube is your friend, especially with Tom’s videos, same with MacTelecom and Crosstalk Solutions.
I’ve run PFSense on old towers, on micro-pc’s, and on appliances. I currently run it on a Fitlet2 in my home lab, and on a SG2100 at work. More than enough power either way for what we do.

I can’t say too much on a backup solution as I still use an old Lenovo IX-2L for backups. But on and offsite would be ideal, for a just in case scenario.

Years ago I helped set up the “IT” portion for a small Christian School. We had a bunch of computers donated to us from another school that had closed. I locked down those PC’s, set up a Google classroom account as well as Gmail for all of the user’s(around 60 with teachers and students). Really simplistic. The dashboard was great. I ran Cat6 through the building to various AP’s(not Unifi, but we had decent coverage in the classrooms and the Sanctuary), and tied everything back into PFSense.

Good luck.

I ran a different way… Pfsense, Suricata (multi threaded), and e2guardian for filtering.

Built my own computer a few different ways, started with an old server I had sitting around, it worked fine but was 13 years old. Then worked into a newer Supermicro Atom based system that would run you about the same price as a good Netgate hardware. I also have an old HP t620Plus with 4 port Intel card running at home, it doesn’t get much of a workout, but everything seems to operate the same as it does at work.

e2guardian is a bit more complex to set up, it is not an official package. But it works well filtering sites. We are using the default block lists which blocks a lot of stuff including most ads. But I also run in the “walled garden” mode and only allow certain websites to go through for most users.

Unless things have changed, I would suggest Suricata because it is multithreaded and Snort is not (again could be different). Both can use the same free rules and block a lot of junk. Tuning those rules can be a process, it is not a set and forget thing. I’m guessing Untangle is also not set and forget, but I’ve never worked with it.

As far as Libre/Open Office vs. Office365/Gsuite, it comes down to money. If you haven’t got the money, use what works. I have O365 at work, I also installed OpenOffice and use it for just about everything I can. Certain things stored in OneDrive use that tools that MS offers, but everything else is AOO for me. AOO is used at home even though my work O365 licensing allows me to install at home.

If Gsuite for education offers better pricing for your students and faculty/staff, then that’s an option. Most of the local k12 schools here use Google for students and some use o365 for faculty/staff. I was told that students are free, but you need to pay for faculty/staff. O365 is the same, student accounts are free but faculty/staff are paid and I can tell you that we pay a lot. We also have Azure, more storage on Sharepoint than we could ever use, licensing for local servers and clients, etc.

My department is about the size of your school, and I’m essentially self contained. Only thing I rely on is the schools network to get internet. As far as hardware goes, I’m not up to speed on the latest Chromebooks, but it seems if you are going to have Chromebook, being on a Google infrastructure would be a good idea. For cost it may not be so important, Windows laptops have come down in price to compete and then you can join them all to your domain and use Zentyal for the domain controller. Gets a little more difficult if the computers go home.

Even if you go all Google, I’d probably still put a Zentyal server up to handle DHCP and maybe DNS. You might be able to roll it into other things as time and knowledge are added. The “developer’s edition” is free but they might make a good discount for you and worth an email to find out. I have mine running in my lab system on an old Atom D525 with 4GB of ram, it works but it probably a bit under performing for your needs. Lots of good tiny/mini/micro computers that would run it better for a network your size. 4 cores with 8GB of ram would probably do wonders, so a mini/micro at $250 used or new would probably be enough. Celeron J4105 or faster for the new cheap micro, i5 7th or 8th gen processor should be plenty as wel.

Ok great. I would, budget allowing use a SG3100 from Netgate support comes with it and should have plenty power for your application. You may go the build it yourself option as I have pf-Sense running on an older I3 with multiport Intel NIC 2GB RAM way over kill and boots from SD card. pf-Blocker-ng is not really that hard to setup if you have problems here is the place to go for help. I block by DNS, IP and Geo blocking also use Quad9 as my DNS provider so very good protection, by no means absolutely bullet proof but it works.

Switches I see two options again depending on budget. Unifi very easy to manage but more costly solid and reliable. The less expensive is TPlink Omada similar to Unifi central management not as feature rich but they work and may be suitable for your needs. I would go with a minimum for 24 ports.

Also consider segmenting your network with vlans especially if you will have guest access. Go with the Synology NAS but choose the appropriate mod with enough drives to accommodate both your backups and video. Ease of management the Synology has you covered there to. For cameras my choice would be Axis but they are pricey, don’t know if they offer special deals for schools. Data should be encrypted on the NAS and 2 copies of the keys should be made one being kept off site. For best practice in backup follow 3-2-1. One copy should be off site as I previously stated Backblaze will be your best and least expensive option. They are a compliant provider of cloud storage and very easy to use first 10GB of storage is free. Remember you may be subject to FERPA & COPPA.

Get a pro to install cabling go with Cat6. Once everything is setup management of the system should be trivial but at least two people should be trained on the basics. Links are below.