HostiFi, UniFi and the value of keeping network gear up to date

[timeshifter]

I have about 9 customers who use UniFi equipment in a small business environment with about 38 devices in total. About 9 months ago I set up a cloud controller on a Digital Ocean VPS. Two of those 9 are on it and the others have stand alone Cloud Keys. I also have a couple of residential installs out there.

The other day when troubleshooting a problem I thought I'd go ahead and update the switch at one site. I ended up not doing an update as I was concerned that the controller version and the firmware version might be mismatched. Also wasn't ready to take on the task of upgrading the controller on the VPS, etc.

This morning I had a demo / conversation with Hostifi. I could easily cover the $99 / month fee by charging my customers a fee to be on it.

Then I get to thinking about what I tell them, how I sell it. Then I wonder how convinced I am that all this gear needs to be constantly updated. Does it?

As I was considering this I was thinking about APs and switches and thinking I'm not aware of anyone getting hacked because their switch was on an old firmware or their AP was outdated. Not that it hasn't happened, but on a list of cybersecurity priorities it seems it would not be near the top of the list, still on the list, but not highly ranked.

I'd need less convincing that firewall / gateways need updates in a serious way since they're exposed to the radiation of the public Internet. Only 6 of those 9 have a UniFi gateway (other three are on Meraki or Fortinet).

I was thinking about charging each client $149 a year to be on the controller with Hostifi. I'd still bill for time I spent doing work, that's just their membership fee. That $149 would be break even.

How do you pitch it? It's like an AV subscription like Norton but for your network hardware?

Also, I question the need to have a live controller. It's somewhat rare that I need it up 24/7. I don't (presently) use any of the stats or live data that you get from the controller. Lack of demand is one reason. Also, sometimes I've found what's there unclear and sometimes unreliable.

 

[YeOldeStonecat]

So way back when the Unifi controller got the "multi-tenant capable" feature....I wrote a guide here at TN on how to do it..using Rackspace as an example....and I later stood up another one at Linode...and then moved the Rackspace one over there too.

Anyways, I got tired of maintaining the controllers....I had them on Ubuntu LTS, but....dealing with Unifi upgrades, and staying on top of backups, and dealing with OS upgrades....it's time consuming. Not to mention, staying on top of security. I'm not a *nix guru....and your Unifi controller holds the keys to your clients networks. Someone hacks into there, they can get all sorts of access to your clients networks..even from afar. Open/forward ports, get the password to the wifi, create a VPN right into the network, etc. So keeping the host OS locked down and secure is also important.

I remember when Reilly started Hostifi...I watched for a year or so...and then it was a no brainer for us...we combined our Unifi controllers and moved them over to an instance he hosts.

What I like about Hostifi....
*They "vet" the Unifi version releases....and wait until a new releases is known good/stable before they update their servers
*They provide the SSL cert for you
*They handle the backups
*They handle the security of the host OS
*Monitoring of your server instance...and auto remediation
*Very quick answers from Safwan if you need support. And Reilly if you have questions.
*It simply FREES UP SO MUCH OF MY TIME!!!

They also will do "consulting" for you, for an affordable fee. We had a complex setup for a client and I wanted to ensure we properly DMZ'd a published apps server...segmented from the production network yet allowing only necessary ports open 'tween it and the database server. I knew how I'd do that in the Untangle world, but wasn't sure in the Unifi world. Their tech "Evan" was an excellent resource for us.

As for "How important is firmware updates on network equipment"....
***VERY!!!
You can find lots of examples of "worms" and such that utilize exploits on old firmware to "take over" routers and other network equipment. Much of them share a similar version of *nix under the hood. We still have many HP Procurve switches out in production, and we're frequently updating their firmware to fix vulnerabilities. Not long ago we had the Log4j exploit...which Ubiquiti quickly patched. There are exploits against network printers, print servers, switches, access points....plenty of them, it's important to keep them updated and not just the "wild side facing routers".

As for covering the costs....$$$
*For our MSP clients...meaning, clients on "monthlies" with us, one of our 3x Level plans....the first line item on the invoice is a "Core" fee. It's like a "Gym Membership"...gets you in the door, and covers the base products we use to support you. Gets you your SLA, gets you access to our helpdesk ticketing system, covers our RMM costs, covers our documentation tool costs (HUDU), covers our network management costs (Hostifi), etc. The Core fee ranges from $110 bucks to $250 bucks..depending on which level plan. On top of that of course we have our fees for the servers, and another fee for 365 tenant management (since it's really like a remote server), and another fee "per workstation", fee for backup, fee for 365 licensing, fee for SaaS backup, fee for DNS Filter, fee for Untangle sub, and whatever else is in the "stack". So anyways...yeah the "Core" line item we have for each MSP client of ours....that all adds up to cover costs of our "tools".

For clients NOT on one of our 3 MSP Level plans, well, for those "one-off" clients, we'll sell them a Dream Machine...or they're still on an old Cloud Key. We have around 60-something clients still on the old white Cloud Keys showing in our network.ui.com legacy portal, and on the front page of unifi.ui.com portal...we have around 30 DMs/UDMs/CKGen2/CKGen2Plus showing up there. Of course there's no cost involved there. But for the clients he have on Hostifi....if they're not an MSP client, (such as a marina or a campground) we'll charge an annual fee like $99 bucks for management of their networks if it's larger. For tiny clients with say just a switch and a few APs...eh, we just let it slide.

For "pitching" the network maintenance/management...it's pretty easy. We get good insight into your network for easier troubleshooting, we can manage it remotely and quickly, we manage firmware updates, we can change the passwords quickly and easily. If you call up with some issue we can log into our Unifi controller and "see" what's going on in your network...such as find a bandwidth hog, or users that shouldn't be there. Quick password changes is a good reason....yesterday the manage of a yacht club that I have on Unifi called and wanted to change the password for the guest SSID. I changed it in about 13 seconds and she had her "Done! " email in her inbox 30 seconds after she emailed the request to me...she was like "Wow, that was fast!"

So many businesses going to hosted VoIP phones now. It's so easy for us to create a voice VLAN, create port profiles, and set all that up quickly and easily from our desks...and get it done quickly/easily.

 

[timeshifter]

We have around 60-something clients still on the old white Cloud Keys showing in our network.ui.com legacy portal, and on the front page of unifi.ui.com portal...we have around 30 DMs/UDMs/CKGen2/CKGen2Plus showing up there. Of course there's no cost involved there.

What do you do about updates for those Cloud Keys and other controllers?

 

[Sky-Knight]

The software must be updated, because it like Windows update happens for a reason...

I go through all of my controllers at least quarterly. But I also keep tabs on announcements of critical vulns. I do not use a shared controller, just as I do not recommend Hostifi. If I wanted that centralized dependence, I'd use Meraki!

Yes... it takes time. Bill your clients for it. But my clients appreciate the fact their networks function as islands when necessary. Internet connectivity is intermittent.

 

[timeshifter]

I go through all of my controllers at least quarterly. But I also keep tabs on announcements of critical vulns. I do not use a shared controller, just as I do not recommend Hostifi.

Would you mind providing more detail on how you handle it? Do you have a Cloud Key for each site? Run a controller on a PC or VM for each site? Are they local to each site?

I've thought about keeping a controller on a PC or other device at each site and only fire it up as needed.

 

[YeOldeStonecat]

What do you do about updates for those Cloud Keys and other controllers?

Well, for cloud keys...those generally mean "Not a managed client". So...it can just sit there as is. They're not paying us to do prevent maint on their stuff.
But in reality, two of us here (there are 6 of us) usually go through roughly every 6 months or so and punch updates on the CKs. Because we don't want to them to fall too far behind in case we need to get into them. If one gets too old it may fall off the cliff, not be something you can remote into.

For Dream Machines and the Gen2 CKs...the Unifi updates seem to be pretty solid now, so in the past year or so we've had most of those on "auto update"...and they take care of themselves.

 

[YeOldeStonecat]

I've thought about keeping a controller on a PC or other device at each site and only fire it up as needed.

Yikes...making a lot of work..and grief...for yourself there.

 

[Sky-Knight]

Would you mind providing more detail on how you handle it? Do you have a Cloud Key for each site? Run a controller on a PC or VM for each site? Are they local to each site?

I've thought about keeping a controller on a PC or other device at each site and only fire it up as needed.

If the client has a local server, it's a hypervisor, if that hypervisor has room for a dedicated Linux VM... I'll set one up. BUT most of the time the client has a domain controller running as a guest, I'll snag a ninite for Java AdoptOpenJDK 8 64bit and use that to install and maintain the version of java on the platform. Then deploy the Windows controller as a service.

If the client has no local server, it's Cloud Key Gen 2 Plus time.

Both controller types are invited to my ui.unifi.com account, so I can manage them all from a single pane of glass.

I do keep an eye on Hostifi though, because they publish the controller versions they use, and I do my own testing. Quarterly I go through all of the impacted systems and I move the entire fleet to the same controller and firmware versions. Clients either pay for that time, or they have it baked into their support. Either way, I get paid. And yes I charge more than Hostifi does... BUT... that's the cost of having local management. My clients like that fact, I sell it based on that fact.