The Real Cost of Microsoft 365 Revealed

Estimating the real cost of a technology solution for a business can be challenging. There are obvious costs as well as many intangible costs that should be taken into account.

For on-premises solutions, people tend to include licensing and support maintenance contract costs, plus server hardware and virtualization licensing costs. For Software as a Service (SaaS) cloud solutions, it seems like it should be easier since there’s no hardware component, just the monthly cost per licensed user but this simplification can be misleading.

In this article we’re going to look at the complete picture of the cost of Microsoft 365 (formerly Office 365), how choices you as an administrator make can directly influence costs, and how you can help your business maximize the investment in OneDrive, SharePoint, Exchange Online and other services.

The Differences Between Office 365 & Microsoft 365

As covered in our article about the death of Office 2019 there are naming changes afoot in the Office ecosystem. The personal Office 365 subscriptions have changed and are now called Microsoft 365 Family (up to six people) and Personal along with the Office 365 Business SKUs, that top out at 300 users, has also been renamed. The new SKUs are Microsoft 365 Business Basic, Apps, Standard, and Premium.

There’s no reason to believe that this name change won’t eventually extend to the Enterprise SKUs but until it does, from a licensing cost perspective it’s important to separate the two. Office 365 E1, E3 and E5 gives you the well-known “Office” applications, either web-based or on your device, along with SharePoint Online, Exchange Online and OneDrive for Business in the cloud backend.

Microsoft 365 F3, E3 and E5, on the other hand, includes everything from Microsoft 365 plus Azure Active Directory Premium features (identity security), Enterprise Mobility & Security (EMS) / Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM) along with Windows 10 Enterprise.

Comparing M365 plans

So, a decision that needs to be looked at early when you’re looking to optimize your cloud spend is whether your business is under 300 users and likely to stay that way for the next few years. If that’s the case you should definitely look at the M365 Business SKUs as they may fulfil your business needs, especially as Microsoft recently added several security features from AAD Premium P1 to M365 Business.

If you’re close to 300, expecting to grow or already larger, you’re going to have to pick from the Enterprise offerings. The next question is then, what’s the business need – do you just need to replace your on-premises Exchange and SharePoint servers with the equivalent cloud-based offerings? Or is your business looking to manage corporate-issued mobile devices (smartphones and tablets) with MDM or protect data on employee-owned devices? The latter is known as Bring Your Own Device (BYOD), sometimes called Bring Your Own Disaster. If you have those needs (and no other MDM in place today), the inclusion of Intune in M365 might be the clincher. If on the other hand, you need to protect your on-premises Active Directory (AD) against attacks using Azure Advanced Threat Protection (AATP) or inspect, understand and manage your users’ cloud usage through Microsoft Cloud App Security (MCAS) you’ll also need M365 E5, rather than just O365.

Cloud app security dashboard

The difference is substantial, outfitting 1000 users with O365 E3 will cost you $ 240,000 per year, whereas moving up to M365 E3 will cost you $ 384,000. And springing for the whole enchilada with every security feature available in M365 E5 will cost you $ 684,000, nearly 3X the cost of O365 E3. Thus, you need to know what your business needs and tailor the subscriptions accordingly (see below for picking individual services to match business requirements).

Note that if you’re in the education sector you have different options (O365 A1, A3, and A5 along with M365 A1, A3, and A5) that are roughly equivalent to the corresponding Enterprise offerings but less costly. And charities/not-for-profits have options as well for both O365 and M365. M365 Business Premium is free for up to 10 users for charities and $ 5 per month for additional users.

A la carte Instead of Bundles

There are two ways to optimize your subscription spend in O365 / M365. Firstly, you can mix licenses to suit the different roles of workers in your business. For instance, the sales staff in your retail chain stores are assigned O365 E1 licenses ($8 / month) because they only need web access to email and documents, the administrative staff in head office use O365 E3 ($20 / month) and the executive suite and other high-value personnel use the full security features in E5 ($35 / month). Substitute M365 F3, E3, and E5 in that example if you need the additional features in M365.

Secondly, you don’t have to use the bundles that are encapsulated in the E3, E5, etc. SKUs, and you can instead pick exactly the standalone services you need to meet your business needs. Maybe some users only need Exchange Online whereas other users only need Project Online. The breakdown of exactly what features are available across all the different plans and standalone services is beyond the scope of this article but the O365 and M365 service descriptions are the best places to start investigating.

Excerpt from the O365 Service Description

And if you’re a larger business (500 users+) you’re not going to pay list prices and instead these licenses will probably be part of a larger, multi-year, enterprise agreement with substantial discounts.

If You Hate Change

If you want to stay on-premises Exchange Server 2019 is available (only runs on Windows Server 2019), as is SharePoint Server 2019 and you can even buy the “boxed” version of Office 2019 with Word, Excel, etc. with no links to the cloud whatsoever. This is an option that moves away from the monthly subscription cost of M365 (there’s no way to “buy” M365 outright) and back to the traditional way of buying software packages every 2-5 years. Be aware that these on-premises products do NOT offer the same rich features that O365 / M365 provides, whether it’s the super-tight integration between Exchange Online and SharePoint Online, cloud-only services like Microsoft Teams that build on top of the overall O365 fabric or AI-powered design suggestions in the O365 versions of Word or PowerPoint. There’s no doubt that Microsoft’s focus is on cloud services, these are updated with new features on a daily basis, instead of every few years. If your business is looking to digitally transform, towards tech intensity (two recent buzzwords in IT with a kernel of truth in them) using on-premises servers and boxed software licensing is NOT going to get you there. But if you want to keep going like you always have, it’s an option.

And if you’re looking at this from a personal point of view, a free Microsoft account through Outlook.com does give you access to Office Online: Word, Excel, and PowerPoint in a browser. There’s even a free version of Microsoft Teams available.

Transforming your Business

There’s a joke going around at the moment about the Covid-19 pandemic bringing digital transformation to many businesses in weeks that would have taken years to achieve without it. There’s no doubt that adopting the power of cloud services has the power to truly change how you run your business for the better. A good example is moving internal communication from email to Teams, including voice and video calls and perhaps even replacing a phone system with cloud-based phone plans.

But these business improvements depend on the actual adoption of these new tools. And that requires a mindset shift for everyone. Start with your IT department, if they still see M365 as just cloud-hosted versions of their old on-premises servers they’re missing the much bigger picture of the integrated platform that O365 has become. Examples include services such as Data Loss Prevention (DLP), unified labeling and automatic encryption/protection of documents and data, and unified audit logging that spans ALL the workloads. So, make sure you get them on board with seeing O365 as a technology tool to transform the business, not just a place to store emails and documents in OneDrive. And adding M365 unlocks massive security benefits, enabling zero-trust (incredibly important as everyone is working from home), identity-based perimeters, and cloud usage controls. But if your IT or security folks aren’t on board with truly adopting these tools, they’re not going to make you any more secure. Here’s free IT administrator training for them.

Finally, you’re going to have to bring all the end-users on board with a good Adoption and Change Management (ACM) program, helping everyone understand these new services and what they can do to make their working lives better. This includes training but make sure you look to short, interactive, video-based modules that can be applied just when the user needs coaching on a particular tool, not long classroom-based sessions.

And all of that, for all the different departments, isn’t a once-off when you migrate to O365, it’s an ongoing process because the other superpower of the cloud is that it changes and improves ALL the time. This means you’ll need to assign someone to track the changes that are coming/in preview and ensure that the ones that really matter to your business are understood and adopted. The first place to look is the Microsoft 365 Message Center in the portal where you can also sign up for regular emails with summaries of what’s coming. Another good source is the Office 365 Weekly Blog.

M365 portal Message Center

To help you track your usage and adoption of the different services in O365 there is a usage analytics integration with PowerBI. Use this information to firstly see where adoption can be improved and take steps to help users with those services and secondly to identify services and tools that your business isn’t using and perhaps don’t need, giving you options for changing license levels to optimize your subscription spend.

PowerBI O365 Usage Analytics (courtesy of Microsoft)

Closing Notes

There’s another factor to consider as you’re moving from on-premises servers to Microsoft 365 and that’s the changing tasks of your IT staff. Instead of swapping broken hard drives in servers these people now need to be able to manage cloud services and automation with PowerShell and most importantly, see how these cloud services can be adopted to improve business outcomes.

A further potential cost to take into account is backup. Microsoft keeps four copies of your data, in at least two datacentres so they’re not going to lose it but if you need the ability to “go back in time” and see what a mailbox or SharePoint library looked like nine months ago, for instance, you’ll need a third-party backup service, further adding to your monthly cost.

And that’s part of the overall cost of using O365 or M365, training staff, adopting new features, different tasks for administrators and managing change requires people and resources, in other words, money. And that’s got to be factored into the overall cost using Microsoft 365, it’s not just the monthly license cost.

The final question is of course – is it worth it? Speaking as an IT consultant with clients (including a K-12 school with 100 students) who recently moved EVERYONE to work and study from home, supported by O365, Teams, and other cloud services, the answer is a resounding yes! There’s no way we could have managed that transition with only on-premises infrastructure to fall back on.

Source :
https://www.altaro.com/microsoft-365/real-cost-m365/

UniFi – USW: Which SFP Modules Can be Used

The Ubiquiti UFiber modules are officially supported and compatible with all EdgeSwitch, EdgeRouter, UniFi Switch, UniFi Dream Machine Pro and UniFi Security Gateway models that have SFP or SFP+ ports. Multi-mode and single-mode SFP and SFP+ models are available, including single-mode BiDi models.

SKU (Model)	1G (SFP)	10G (SFP+)	25G
UF-MM-1GUF-SM-1G-S
UF-MM-10GUF-SM-10GUF-SM-10G-S
UF-RJ45-1G
UF-RJ45-10G
UDC-1 (1m)UDC-2 (2m)UDC-3 (3m)	*
UC-DAC-SFP+ (0.5m)	*
UC-DAC-SFP28 (0.5m)			**

*Ports can be set manually to 1000mbps for compatibility between SFP+ and SFP ports. | ***SFP28 to SFP28 (max data rate 25Gbps)

The list below includes third-party SFP/SFP+ transceivers that have been tested by community members. Please note that these should work, but we cannot assure that they will. Some modules will have multiple hardware revisions, and while one revision may work (i.e. 1.0), it’s possible that a newer revision (i.e. 1.1, 1.2, etc.) of the same module may not work.

We do, however, offer direct support for our own modules.

Addon 1000BASE-LX SFP MMF
Addon 1000BASE-SX SFP MMF
Brocade 10G-SFPP-TWX-0101
Cisco GLC-LH-SM 30-1299-01 SFP
Cisco GLC-SX-MM
Cisco GLC-SX-MM 1000BASE-SX SFP
Cisco SFP-H10GB-CU1M
Dell FTLF1318P3BTL
Dell FTLF8519P2BNL
Dell FTLX1371D3BCL
Dell FTLX8571D3BCL
FCI 10110818-2030LF
Finisar FTLF8524P2BNL
HP J4858C
MaxxWave MX-SX-MM-US 10G + 1.25G
MGB-SX 1000Base-SX
Mikrotik S-3553LC0D
Mikrotik S+31DLC10D
Mikrotik S+85DLC03D
Solid-Optics ‘SFP-GE-L-SO’ 1000Mbps
SourceLight SLS-1285-S5-D

1000Base-LX

FiberStore SFP1G-LX-31 1310nm (Single-mode SFPs): with the 8-Port switch set the Negotiation to 1G fixed. On the 24-port autonegotiation works fine.
Finisar FTLX1471D3BCV (dual rate – single-mode)
HP J4859B – (Finisar FTRJ1319P1BTL-PT Rev A)
HP J4859C – (Intel TXN221200000005) – no OTDR output (show fiber-ports optical-transceiver all)

1000Base-SX

Cisco MGBSX1 Gigabit SX Mini-GBIC SFP Transceiver
Fiberstore SFP-1G85-5M (multi-mode)
Finisar FTLF8524P3BNL (multi-mode)
HP J4858A (3rd party) – (FINISAR FTRJ-8519-7D) – no OTDR output

1000Base-T

Cisco GLC-T – (CISCO-FINISAR FCMJ-8521-3-CSC Rev 4)
Delta LCP-1250RJ3SR – (DELTA LCP-1250RJ3SR Rev 0000)
Fiberstore SFP-GB-GE-T Module
Mikrotik S-RJ01 (not compatible)

10GBase-LR

Finisar FTLX1471D3BCV (dual rate – single-mode)

10GBase-SR

Cisco SFP-10G-SR
Fiberstore SFP-10G85-3M (multi-mode)
Finisar FTLX8571D3BCL (multi-mode)

DAC/Twinax

Addon SFP-10G-PDAC1M-AO
Juniper ex-sfp-10ge-dac-1m – (Amphenol 584990001 Rev A)
- This is a 10g DAC that appears to link up at 1g when both ends are plugged into the two SFP slots of the ES-24-250W
- I haven’t tested sending traffic over this cable, as I only have one ES-24-250W, and Juniper equipment wants to link up at 10g when using this DAC
MikroTik S+DA0001
Molex 74742-0001
Fibrestore 10G DAC cables

The following SFP/SFP+ transceivers have been tested by community members, but may not work reliably. They are not recommended for use with UniFi switch.

TP-LINK TL-SM311LS ** may not work on newer firmware, may also depend on module version
TP-LINK TL-SM311LM ** may not work on newer firmware, may also depend on module version

Source :
https://help.ui.com/hc/en-us/articles/212561258-UniFi-USW-Which-SFP-Modules-Can-be-Used

UniFi – Supported PoE Output and Input Modes

Overview

This article provides tables with information on the supported Power over Ethernet (PoE) output and input modes for Ubiquiti UniFi Switches, Access Points, Cloud Keys and Cameras.NOTES & REQUIREMENTS:

See each device’s Datasheet, available in their store product page or in the Downloads section, for more information on the supported PoE modes.
See our PoE Adapters page for more information on Ubiquiti PoE adapters/injectors that can be used to power on devices.
There is more information on PoE in the Power Over Ethernet (PoE) article.

Introduction

One of the challenges with large PoE deployments is figuring out how to provide power to your UniFi Access Points. When you have many access points it becomes less viable to power devices using AC PoE injectors. With non-PoE capable switches, you can add a Midspan device which acts as a collection of individual PoE injectors by receiving Ethernet from the switch with only data being transmitted and adding power out over Ethernet through the connection. Such a piece of equipment takes up additional space on your rack, while also costing you a lot of money.

To help with such deployments, UniFi Switches come in a few different models with varying numbers of ports from 8, 16, 24 and 48. These switches are endspan devices as they act as both the switch and provide PoE to devices. UniFi switches give you greater functionality when used with the different UniFi Access Point (UAP), UniFi Dream Machine (UDM), and UniFi Security Gateway (USG) models, and cost well under the amount of the midspan device alone.

UniFi Switches – Supported PoE Output Modes

Ubiquiti devices use Active PoE output. This means that the voltage the Powered Device (PD) needs is negotiated. There are three output modes:

PoE: Uses IEEE 802.3af standard to deliver up to 15.4W.
PoE+: Uses IEEE 802.3at standard to deliver up to 30W.
PoE++: Uses IEEE 802.3bt standard to deliver up to 60W.

Different switches provide different output methods, so it’s important to learn what power method the UniFi switches support and compare it with the power method needed to power the different UniFi devices: eg. UniFi access points, cameras or Cloud Keys.

It’s important to note that each switch has a maximum power consumption which should be considered when powering multiple UniFi devices via PoE. For example, a US-16-150W has a 150W maximum power consumption, even though it has 16 ports. The UAP-HD has a maximum power consumption of 17W. Therefore, if you were to power 16 UAP-HD on a US-16-150W, there is a possibility that the wattage could exceed what the switch is capable of supplying in certain conditions. Find each device’s power consumption in their Datasheets, found in the Downloads page, within each product’s Documentation section.

Model	PoE	PoE+	PoE++
USW-Pro-48-PoE			(Ports 41-48)
USW-48-PoE	(Ports 1-32)	(Ports 1-32)	–
US-48-750W			–
US-48-500W			–
US-48	–	–	–
USW-Pro-24-PoE			(Ports 17-24)
USW-Pro-24	–	–	–
USW-24-PoE	(Ports 1-16)	(Ports 1-16)	–
US-24-500W			–
US-24-250W			–
USW-24	–	–	–
US-24	–	–	–
USW-16-PoE	(Ports 1-8)	(Ports 1-8)	–
USW-Lite-16-PoE	(Ports 1-8)	(Ports 1-8)	–
US-16-150W			–
US-16-XG	–	–	–
USW-Lite-8-PoE	–	(Ports 1-4)	–
USW‑Industrial	(Ports 1-8)	(Ports 1-8)	(Ports 1-8)
US-8	(Port 8)	–	–
US-8-60W	(Ports 4-8)	–	–
US-8-150W			–
US-XG-6POE
USW-Flex		–	–
USW-Flex-Mini	–	–	–

UniFi Access Points – Supported PoE Input Modes

Model	PoE	PoE+	PoE++
UAP-AC-PRO		–	–
UAP-AC-LR**	(Mode A)	–	–
UAP-AC-LITE***	(Mode A)	–	–
UAP-AC-IW	*	*	–
UAP-AC-IW-PRO	*	*	–
UAP-AC-EDU	–		–
UAP-AC-M	(Mode A)	–	–
UAP-AC-M-PRO		–	–
UAP-nanoHD		–	–
UAP-IW-HD	*	*	–
UAP-AC-HD	–		–
UAP-AC-SHD	–		–
UAP-XG	–	–
UWB-XG	–	–
UAP-FlexHD		–	–
UAP-BeaconHD	–	–	–
U6-LR	–		–
U6-Lite		–	–

NOTES: * The IW models only support PoE Pass-Through when powered by 802.3at.** UAP-AC-LRs with a date code prior to 1634 or board revision before 17 only support 24V passive PoE.
*** UAP-AC-LITEs with a date code prior of 1634 or board revision before 33 only support 24V passive PoE.

Legacy Devices – Power Methods

Model	PoE	PoE+	PoE++
UAP	–	–	–
UAP-LR	–	–	–
UAP-PRO		–	–
UAP-AC	–		–
UAP-AC-Outdoor	–		–
UAP-Outdoor	–	–	–
UAP-Outdoor+		–
UAP-Outdoor5	–	–	–
UAP-IW	*	*	–

NOTE: * The UAP-IW only supports PoE Pass-Through when powered by 802.3at.

UniFi Cloud Key – Supported PoE Input Modes

Model	PoE	PoE+	PoE++
UC‑CK		–	–
UCK-G2-PLUS		–	–
UCK-G2		–	–

UniFi Cameras – Supported PoE Input Modes

Model	PoE	PoE+	PoE++
UVC-G3	–	–	–
UVC-G3-AF		–	–
UVC-G3-DOME		–	–
UVC-G3-MICRO	*	–	–
UVC‑G3‑PRO		–	–
UVC-G3-Flex		–	–
UVC-G4-PRO		–	–

NOTE: * Supported when using the included 802.3af Instant PoE Adapter. See the QSG for more information.

UniFi Switches – Supported PoE Input Modes

Model	PoE	PoE+	PoE++
US-8			–
USW-Flex
USW-Flex-Mini			–

Source :
https://help.ui.com/hc/en-us/articles/115000263008-UniFi-Supported-PoE-Output-and-Input-Modes

UniFi – UAP Antenna Radiation Patterns

Use this article to compare the different antenna radiation patterns of our UniFi Access Points. For an explanation on how to read antenna radiation patterns see UniFi – Introduction to Antenna Radiation Patterns.

About Radiation Patterns

Radiation patterns can be used to better understand how each Ubiquiti UniFi access point model broadcasts wireless signal. These patterns are what antenna engineers call reciprocal—in that the transmit-power (the capability of the AP to ‘speak’) will be highest at the peaks, and so will the receive-sensitivity (the capability of the AP to ‘hear’).

Please note that these radiation patterns are gathered in a fully anechoic environment. Their shape, peak gain/directivity and efficiency will change in installed environments. Every deployment will behave differently due to interference, materials, geometries of structures, and how these materials behave at 2.4GHz and 5GHz.

With that in mind, use these radiation plots as a “general guide” to identify where most of the energy (and receive sensitivity) of the UniFi APs is being directed; but keep present that the ultimate way to know how successful the coverage design is—is to measure it. Measure signal strength and coverage before (with mock positioning), during (as you install), and after to guarantee that you have the coverage you want—and don’t have the coverage you don’t want (for example with self-interference: APs hearing each other or other AP stations on the same channel).

Radiation Plot Format

Radius represents ‘elevation’, with 0° representing antenna gain straight under the AP, and 90° representing antenna gain at horizon. The degrees on the circumference represent ‘Azimuth’. That is to say, left/right/front/back of the AP, when mounted overhead.

Comparison Table

Use this table to compare the radiation patterns of each UAP. The first column shows where the respective colored dots found in each radiation plot is placed in the actual devices. Note that colored dots in the plots might be in the outer perimeter or closer to center.

Note: Varying scales are represented in the graphs below. Consider each graph individually and take note of scale when comparing products.

Model Summary Plots

This section includes a graphic summary for each UniFi Access point shown in the table above, portraying radiation plots for Azimuth, Elevation 0°, Elevation 90° and Mapped 3D.U6 Lite

U6 LR

U6 Pro

U6 Mesh

UWB-XG

High Gain

Low Gain

UDM

UAP-IW-HD

UAP-FlexHD

UAP-BeaconHD

UAP-nanoHD

UAP-HD

UAP-SHD

UAP-AC-Lite

UAP-AC-LR

UAP-AC-PRO

UAP-AC-IW

UAP-AC-IW-PRO

UAP-AC-IN-WALL-PROOverall_-_Summary_Plot_-_5GHzfinal.png

UAP-AC-M

Note: The antennas for the UAP-AC-M were angled at 45° to generate the plots as shown in the images above.UAP-AC-M-PRO

UMA-D

UAP-XG

Antenna Files (.ant)

Please note the data in the .ant files below was extracted from full model simulations. Clicking on the links in the following table will prompt the immediate download of the .ant file.

UniFi Access Point Model	Downloadable Antenna Files (.ant)
UAP-AC-IW-Pro	UAP-AC-IW-Pro.zip
UAP-AC-IW	UAP-AC-IW.zip
UAP-AC-Lite	UAP-AC-Lite.zip
UAP-AC-LR	UAP-AC-LR.zip
UAP-AC-Pro	UAP-AC-Pro.zip
UAP-AC-Mesh	UAP-AC-Mesh.zip
UAP-AC-Mesh-Pro	UAP-AC-Mesh-Pro.zip
UAP-HD	UAP-HD.zip
UAP-SHD	UAP-SHD.zip
UAP-nanoHD	UAP-nanoHD.zip
UAP-IW-HD	UAP-IW-HD.zip
UAP-XG	UAP-XG.zip
UWB-XG	UWB-XG.zip
UMA-D	UMA-D.zip
UDM	UDM.zip
UAP-BeaconHD	UAP-BeaconHD.zip
UAP-FlexHD	UAP-FlexHD.zip

Source :

UniFi – USW: Configuring Access Policies (802.1X) for Wired Clients

This article describes how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also UniFi Network configuration examples to point to your own authentication server. Every UniFi switch model is capable of authentication via 802.1X. The configuration does not change from model to model.

Note: Please complete the prerequisite configuration found in the UniFi – USG: Configuring RADIUS Server article before following this guide’s instructions.

How to Enable the 802.1X Service on a Switch

This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the “Devices” section of the UniFi Network application.

ATTENTION:Enabling access control is done a per switch basis. If this is not enabled, the switch will not be able to act as an authenticator to pass RADIUS messages to the RADIUS server.

Differentiating 802.1X Port Modes

Auto: The port is unauthorized until a successful authentication exchange has taken place.
Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
Force Authorized: The port sends and receives normal traffic without client port-based authentication.
MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses.

Working with Port Profiles

Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port.

Navigate to Settings > Profiles > Switch Ports.
Create a new profile with the desired 802.1X control.

NOTE:When using dynamic VLAN assignment on RADIUS the port profile must include each VLAN desired for use.

Source :
https://help.ui.com/hc/en-us/articles/115004589707-UniFi-USW-Configuring-Access-Policies-802-1X-for-Wired-Clients

Which UniFi Switch is Right for Me?

Ubiquiti UniFi switches help you power, connect, and process traffic across all of your devices. Since each deployment’s size and layout are unique, we offer several distinct switch categories meticulously designed to optimize any network in any environment. We’d like to explore these categories further to help you identify the model(s) that will deliver the most value for you.

Flex and Lite switches are designed to be more stylish than traditional switches so you can easily place them anywhere without disrupting your décor. These switches offer a wide range of bandwidth, uplink speed, and Power-over-Ethernet (PoE) capability. Plus, they look great mounted to a wall or sitting on your desk!

Our marquee UniFi Switch models bring more uplink and power versatility to high-speed, device-dense networks. The UniFi Switch Pro line is even more powerful with enhanced fiber connectivity, routing, and PoE options.

UniFi Switch Enterprise models, coming later this year, are ideal solutions for demanding deployments. These switches are designed to direct a staggering amount of data and fully harness the power of UniFi 6 products.

To help you protect your enterprise deployment, we’ve created the UniFi Switch Mission Critical, which also be available later this year. The Mission Critical is a PoE switch with an uninterruptible power supply that will keep your pivotal devices (and UniFi Access products) running through outages and internal failures with its powerful internal battery and external backup battery connectors.

Detailed network insights anywhere, anytime

We know keeping track of ports and devices can be a headache, so we’ve engineered all of our switches to allow individual port naming, locking, and configuration—all from your UniFi Network application. Using UniFi Network, you’ll get real-time insights that will help you optimize your deployment.

Key network details are also visible on the sleek touchscreens built into our UniFi PoE Switch, Switch Pro, and Switch Enterprise models. You can even use your phone to view an augmented reality overlay that labels each port with its connected device!

See our switches in action

Your deployment is only as powerful as the switches powering it, so choosing the right UniFi Switch is critical for enhancing your network’s performance. To learn more, check out our new video above or the comparison table below for a deeper feature breakdown. Also, be sure to like and subscribe when you catch us on YouTube and check our blog regularly for brand-new UniFi content!

Choose the right switch for you

Source :
https://blog.ui.com/2021/03/30/which-unifi-switch-is-right-for-me/

Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.

According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.

“The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers,” Avast’s senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what’s now called the Mēris botnet.

The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were sinkholed in late September 2021.

“The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service,” Hron said.

In attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second domain “globalmoby[.]xyz.”

Interesting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the discovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to serve Glupteba malware samples to targeted hosts.

“When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain (which is again hidden by the Cloudflare proxy),” Hron said. “This is a control panel for the orchestration of enslaved MikroTik routers,” with the page displaying a live counter of devices connected into the botnet.

But after details of the Mēris botnet entered public domain in early September 2021, the C2 server is said to have abruptly stopped serving scripts before disappearing completely.

The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service.

In light of these attacks, it’s recommended that users update their routers with the latest security patches, set up a strong router password, and disable the router’s administration interface from the public side.

“It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies,” Hron said. “This is done to either anonymize the attacker’s traces or to serve as a DDoS amplification tool.”

Update: Latvian company MikroTik told The Hacker News that the number “was only true before we released the patch in [the] year 2018. After patch was released, the actual affected number of devices is closer to 20,000 units that still run the older software. Also, not all of them are actually controlled by the botnet, many of them have a strict firewall in place, even though running older software.”

When reached out to Avast for comment, the cybersecurity company confirmed that the number of affected devices (~230,000) reflected the status of the botnet prior to its disruption. “However, there are still isolated routers with compromised credentials or staying unpatched on the internet,” the company said in a statement.

(The headline of the article has been corrected to take into account the fact that the number of affected MikroTik routers is no longer more than 200,000 as previously stated.)

Source :
https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html

WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities

Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues.

The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. The Wordfence Threat Intelligence team was able to create a Proof of Concept for this vulnerability fairly quickly and released a firewall rule early on March 11, 2022, to protect WordPress sites that have not yet been updated.

The two medium-severity vulnerabilities impact WordPress versions earlier than 5.9.2 and potentially allow attackers to execute arbitrary JavaScript in a user’s session if they can trick that user into clicking a link, though there are no known practical exploits for these two vulnerabilities affecting WordPress. All versions of WordPress since WordPress 3.7 have also been updated with the fix for these vulnerabilities.

Vulnerability Analysis

As with all WordPress core releases containing security fixes, the Wordfence Threat Intelligence team has analyzed the update in detail to ensure our customers remain secure.

We have released two new firewall rules to protect against the vulnerabilities patched in WordPress 5.9.2. These rules have been deployed to Wordfence Premium, Wordfence Care, and Wordfence Response users. Wordfence free users will receive these rules after 30 days on April 10, 2022.

Even if you are protected by the Wordfence firewall, we encourage you to update WordPress core on all your sites at your earliest convenience, if they have not already been automatically updated.

Contributor+ Stored Cross Site Scripting Vulnerability

Description: Contributor+ Stored XSS
Affected Versions: WordPress Core 5.9.0-5.9.1
CVE ID: Pending
CVSS Score: 8.0 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 5.9.2
Researcher/s: Ben Bidner

WordPress uses a function called wp_kses to remove malicious scripts from posts, which is called in wp_filter_post_kses whenever post content is saved.

Recent versions of WordPress allow some degree of full site editing, including global styles, which use their own sanitization function wp_filter_global_styles_post.

Unfortunately, however, the wp_filter_global_styles_post function ran after wp_filter_post_kses. Normally this would not be an issue, but wp_filter_global_styles_post performs a second round of JSON decoding on the content it has been passed, which allows for a number of bypasses that would normally be handled by wp_kses.

The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them.

This vulnerability does require the attacker to have the ability to edit posts, and as such they would need access to the account of at least a Contributor-level user. An attacker able to successfully exploit this vulnerability could inject malicious JavaScript into a post, which, when previewed by an administrator, would execute. JavaScript running in an administrator’s session can be used to take over a site via several methods including the addition of new malicious administrative users and the injection of backdoors into a website.

Prototype Pollution Vulnerabilities

Description: Prototype Pollution via the Gutenberg wordpress/url package
Affected Versions: WordPress Core < 5.9.2
CVE ID: Pending
CVSS Score: 5.0 (Medium)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Description: Prototype Pollution in jQuery
Affected Versions: WordPress Core < 5.9.2
CVE ID: CVE-2021-20083
CVSS Score: 5.0 (Medium)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Prototype pollution vulnerabilities allow attackers to inject key/value “properties” into JavaScript objects and are in many ways similar to PHP Object Injection vulnerabilities. In cases where the webserver is running JavaScript such as with Node.js, this can be used to achieve critical-severity exploits such as Remote Code Execution. WordPress, however, is a PHP application and does not run on Node.js so the impact of these vulnerabilities are limited.

One of these vulnerabilities was present in the Gutenberg wordpress/url package, while a separate but very similar vulnerability was present in jQuery, which was patched separately and updated to jQuery 2.2.3.

We are not aware of any practical exploits at this time, but any such exploits targeting WordPress would require user interaction, such as an attacker tricking a victim into clicking a link, similar to reflected Cross-Site Scripting(XSS).

An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed. Nonetheless, the Wordfence Threat Intelligence team has released a firewall rule designed to block exploit attempts against these vulnerabilities.

Conclusion

In today’s article, we covered the 3 vulnerabilities patched in the WordPress 5.9.2 security release. Most actively used WordPress sites should have already been patched via automatic updates. The Wordfence firewall also provides protection against these vulnerabilities.

Despite this, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you should not have to worry about compatibility issues.

Help secure the WordPress community by sharing this information with WordPress site owners in your circle.

Source :
https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixes-xss-and-prototype-pollution-vulnerabilities/

Ransomware is Everywhere

Of all the products and services you use each day, how many have been impacted by ransomware? SonicWall takes an in-depth look.

There’s no question that ransomware is on the rise. In the 2022 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers reported 623.3 million ransomware attacks globally, a 105% year-over-year increase. And many industries saw triple- and even quadruple-digit spikes, such as government (+1,885%), healthcare (+755%) and education (+152%).

If your organization hasn’t yet dealt with an attack like this, however, it’s easy to see ransomware as an unusual and far-off problem. While this may have been true 10 years ago, today ransomware touches every facet of our lives.

To illustrate both the pervasiveness of ransomware, as well as its ability to disrupt the lives of an average person, we’ve constructed an average day that any business traveler might experience:

At 7 a.m., the alarm on your Apple iPhone jolts you awake to start another day. You suds up with some Avon body wash, pull on your Guess slacks and a Boggi Milano blazer, and grab your Kenneth Cole briefcase before heading out the door.

Once inside your Honda Passport, you tune in to your favorite sports podcast, where they’re recapping last night’s San Francisco 49ers game. You become so immersed in the discussion you almost forget to stop for fuel — you grab a Coke while you’re there, just in case you’re waiting a while for your flight.

Once you get to the airport, you check in, then look for a quiet place to get some work done. Fortunately, at this point the lounge is deserted. You dig out your Bose earbuds and stream some Radiohead from your laptop while you wait for boarding.

Your flight is uneventful, and the crowds at Hartsfield-Jackson International are almost as sparse as the ones at Cleveland Hopkins International. But unfortunately, you’re completely famished by this point. There’s a McDonalds on Concourse A, and you order a cheeseburger.

The evening is young and you consider going out, but it’s been a long day. On your way to check in at the Ritz Carlton, you decide to stop at a Barnes and Noble. You grab a graphic novel and treat yourself to a box of SweeTarts to enjoy during your quiet night in.

According to the cable listings, there’s an NBA game on TV, but it doesn’t start until 9 p.m. — giving you a few minutes to log in to Kronos and get a head start on expense reports. With a full day of meetings ahead of you, you enjoy a hot shower, pull on your pajamas and slippers, and head off to bed.

While the number of organizations affected by ransomware grows every day, yours doesn’t have to be one of them. Part of avoiding ransomware is knowing how ransomware groups operate, what industries they target and where they’re likely to hit next. For a comprehensive look at SonicWall’s exclusive ransomware data for the past year, download the 2022 SonicWall Cyber Threat Report.

Source :
https://blog.sonicwall.com/en-us/2022/03/ransomware-is-everywhere/

Business Email Compromise BEC Attacks: Inside a $26 Billion Scam

A new Osterman Research study explores why Business Email Compromise (BEC) attacks are more financially devastating than ransomware — and how they can be stopped.

Why would cybercriminals employ obfuscation tools, launch multi-stage cyberattacks, encrypt endpoints and haggle over ransom amounts … when they could just ask for the money? This is the concept behind Business Email Compromise (BEC) attacks — a type of cyberattack that has grown dramatically over the past few years.

The U.S. federal government’s Internet Complaint Center (IC3), which has been tracking these attacks since 2013, has dubbed BEC attacks the “$26 billion scam” — though this moniker is likely out of date due to escalating attack volumes and increased reliance on email throughout the pandemic.

And though high-profile ransomware attacks continue to dominate headlines, far more money is lost to BEC attacks. For example, in 2020, BEC attacks accounted for $1.8 billion in the U.S. alone, and an estimated 40% of cybercrime losses globally.

The Anatomy of a BEC Attack

While they’re considered a type of phishing attack, BEC attacks don’t rely on malicious code or links. Instead, they let social engineering do the heavy lifting. These attacks specifically target organizations that perform legitimate transfer-of-funds requests, and almost exclusively appeal to seniority to secure compliance.

According to the Osterman white paper sponsored by SonicWall, “How to Deal with Business Email Compromise,” BEC threat actors create email addresses that mimic those used by senior executives, use free services such as Gmail to create email addresses that appear to be an executive’s personal account, or, less commonly, gain access to executives’ actual corporate email accounts using phishing attacks or other means.

Above is a BEC email I’ve received. Note the appeal to authority — the message appears to come from SonicWall’s CEO, despite originating from an outside address — as well as the sense of urgency throughout. This is a rather clunky example; many of these emails are much more sophisticated in both language and execution.

Once the attacker has a plausible email account from which to operate, they use social engineering tactics to request the target either divert payment on a valid invoice to the criminal’s bank account, solicit payment via fake invoice or divert company payroll to a fraudulent bank account.

Since these attacks appeal to a sense of urgency and appear to come from a CEO, CFO or someone else in charge, many targets are eager to comply with the requests as quickly as possible. Once they do, the company is out a large sum of money, and the cybercriminal celebrates another payday.

How Common are BEC attacks?

BEC attacks have been recorded in every state in the U.S., as well as 177 countries around the world. Based on the latest report from IC3, nearly 20,000 of these attacks were reported in 2020 alone — likely an undercount, given that Osterman’s research found that four out of five organizations were targeted by at least one BEC attack in 2021. For mid-sized businesses (those with 500-2,500 email users), that number rose to nine out of 10.

Worse, almost 60% of the organizations surveyed reported being the victims of a successful or almost successful BEC attack. For those who were successfully targeted, the costs were significant: a combination of direct costs and indirect costs brought the total financial impact of a successful BEC incident to $114,762. Unfortunately, the direct costs, while significant for an individual organization, are often too small to trigger help from law enforcement agencies and insurance companies.

BEC Attacks Can Be Stopped (But Probably Not in the Way You Think.)

Many other attacks rely on malicious links and code, which can be spotted by anti-malware solutions and secure email gateways. But the sort of social engineering tactics used in BEC attacks — particularly those from a legitimate email address — often cannot be caught by these solutions.

Even so, while three-quarters of respondents say that protecting against these attacks is important to them, many are still depending primarily on technologies that were never designed to stop BEC attacks.

There’s not a lot you can do to prevent being among the 80% (and growing) of companies targeted by BEC attacks each year, but there’s plenty of other things you can do to safeguard your organization’s finances. But they all fall under three primary pillars: People, Process and Technology.

Technology is your first line of defense against BEC attacks. Many solutions claim the ability to combat BEC attacks, but their effectiveness varies widely. For best protection, look for one that will both block BEC attacks and guide employees.

Notice in the example above how there’s an alert warning that the email originated from outside the organization? While simple, these sorts of alerts can make the difference between a BEC attempt that’s ultimately successful, and one that’s scrutinized and deleted upon receipt.

Particularly in companies that are still relying on traditional technology protections, employee training an indispensable backup protection. Employees should be coached to look for spoofed email addresses, uncharacteristic grammar and syntax, and an unusual sense of urgency.

In the case of particularly sophisticated attempts, processes should be in place in case a BEC attempt makes it into the inbox and isn’t identified by the recipient as suspect. Policies such as a multi-person review of requests to change bank account details or mandated out-of-band confirmations are often successful as a last line of defense against BEC.

Source :
https://blog.sonicwall.com/en-us/2022/03/bec-attacks-inside-a-26-billion-scam/

Directional color dots on device	5GHz LowFrequency	5GHz MidFrequency	5GHz HighFrequency	2.4GHzFrequency
U6-Lite
U6-Pro
U6-LR	(5.20GHz)		(5.80GHz)
U6-Mesh	(5.20GHz)		(5.80GHz)
UDM
UWB-XG	(High Gain)	(High Gain)	(High Gain)	The UWB-XG models do not operate on the 2.4GHz band.
UAP-FlexHD
UAP-IW-HD
UAP-BeaconHD
UAP-nanoHD
UAP-HD
UAP-XG
UAP-SHD
UAP-AC-LR
UAP-AC-M-PRO
UAP-AC-M
UAP-AC-IW
UAP-AC-Lite
UAP-AC-PRO
UAP-AC-IW-PRO
UMA-D