this post was submitted on 08 Jan 2024
22 points (86.7% liked)

Sysadmin

7813 readers
55 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]

founded 2 years ago
MODERATORS
DarraignTheSane
00Lemming
L3s
22
Tailscale as a tool for PCI compliance (to avoid port forwarding) (lemmy.zip)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/sysadmin
4 comments fedilink hide all child comments
 

So I recently discovered that the camera NVRs are majority insecure. This lead to my company failing to get PCI compliance which wasn't all that unexpected. However, this leads to the awkward situation of me comparing mesh VPNs. I've been playing around with netbird but I'm looking for a more polished solution.

Do any of you use Tailscale in a corporate environment? If so how well does it work and is there any major pain points?

Edit: I gave up on Tailscale as it was a pain in the ass. I'll just use Netbird with a reverse proxy for the cameras.

top 4 comments
sorted by: hot top controversial new old
[–] slazer2au 13 points 1 year ago (1 children)

In all honesty of you are in a commerical environment and scale where PCI and mesh VPNs are cropping up you should consider hardware firewalls.

FortiNet has FortiGate ADVPN as part of the base image and no extra licenses required. If you include the licenses you can get PCI reports from the FortiGate.

Juniper has SRX mesh, don't go for the cisco tax of DMVPN, Palo Alto has LSVPN

[–] [email protected] 0 points 1 year ago

I am actually managing a bunch of locations with only 1-3 people at each. Full firewalls feel overkill but maybe there is a middle ground. I've actually considered openWRT with ansible but keeping openWRT updated is a pain in the ass.

For now I'll just stick with Tailscale and some sort of management software.

[–] IHawkMike 4 points 1 year ago (1 children)

Which specific PCI requirements did you fail?

Regardless, it sounds like you're over-complicating things. The cameras should just be on a separate VLAN with proper ACLs at the router/firewall.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I'm looking to completely remove the NVRs from the internet so no, I don't believe its that complicated

It seems that Tailscale may be a decent fit for our needs. Netbird had a nicer UI but is not nearly mature enough and has broken user invites