Edit: Decided to go with the Ubiquiti Dream Machine Pro. Thank you for all the suggestions and advice!

Hey Tildenauts,

I'm planning to help a local nonprofit replace their aging hardware firewall pro bono. I have a fair amount of experience with networking and security, especially where web servers are concerned, but I haven't setup a hardware firewall recently enough to know off the top of my head which are the best options here.

The organization is fairly small but on its way to medium sized, around 30 employees at the moment but will likely expand to 50+ in coming years. So I'm looking for a solution that will comfortably scale up to 100 employees. There is remote work, accessing their local server via VPN, so something that comes bundled with a user friendly VPN client would be ideal. I haven't seen their physical setup yet but I know their server gets a lot of use. Not all employees use it remotely on a regular basis but many do.

From past experience I know that Cisco, Sophos and SonicWall are potential options. Cisco seems to be pushing their Meraki platform pretty hard but I don't think this organization needs a subscription based solution.

Anyone have recommendations for hardware firewalls I should consider? Any potential footguns I should know about?

Thanks in advance!

Any clever ways to connect to the Internet safely to update drivers, security, etc? I'd only want to connect to Intel, AMD, Microsoft, etc, and then would physically disconnect the lan card. I know, dangerous, but I'm trying a piecemeal approach with a flash drive and getting mixed results. I tried to update to Service Pack 2, and it bricked the computer on restart, back to flashing Vista.

Sorry if this isn't the best place to ask. IT and cybersecurity-focused communities over on Reddit aren't exactly the most welcoming places for such questions, and reading the r/ITCareerQuestions wiki has made me seriously question if I'm being sold false promises of working in a sector that actually has a low demand for workers. Then again, that wiki page seems more geared towards the US job market.

Two weeks ago, I responded to an Instagram ad advertising cybersecurity courses, because the job market is horrible here in the UK right now, and after some setbacks with my ACCA studies, I am seriously considering just giving up on trying to get into chartered accountancy because that path is closing many more doors for me. A course advisor rang me asking about the reasons I showed interest in the ad, then we had a long discussion about any questions I had, what the sector is apparently like, etc.

Some of the claims seem too good to be true, i.e. that it's an industry where you can afford to be picky, jobs outnumber people by almost 3 to 1, most jobs are remote, the provider boasts a 90%+ employment rate, I don't need programming experience, the most complex thing I'd be doing is running command prompt/powershell commands and scripts.

The firm itself seems legitimate. They offer CompTIA, Microsoft, Cisco, AWS and EC-Council certifications, have good review scores on Trustpilot, are a registered training provider and limited company in the UK, and are supposedly an assured service provider with the National Cyber Security Centre (NCSC.) The courses they mentioned to me in their syllabus supposedly come to £4k and would take about six months.

1. Am I right to be wary about what this training provider are offering?
2. Do you require extensive programming knowledge or a computer science background to work in cybersecurity in any capacity? A friend with an IT background has told me that Python is useful in his field.
3. Is the reality of IT and cybersecurity jobs in the UK (or in the West) far different from what has been painted to me?

I have changed my email more than once, just as part of customizing my online identity and all that.

and that obviously required me to login into any accounts I had and updating the email associated with them.

the most common workflow I have found is
login -> navigate to settings page -> edit the email field to the new email -> go to the inbox for the new email -> click confirm on confirmation email

then you can go to that website and do the forgot password, provide your email and change the password and get complete control.

I have always found that workflow weird cause it's the most prevalent one I have come across and seems so susceptible to tampering.

if someone leaves their laptop unattended for 3-4 minutes in public while visiting a bathroom (which happened often in the library of my university), there was nothing preventing me from going to their Facebook or whatever account they had open on their computer, changing the email to my own email and then clicking confirm on my inbox once I am back at my desk.

and most people don't have 2FA so that would effectively give me control of their account.
Hell, my university once had a potential data breach and they were 99.999% sure the data was not actually accessed by a malicious actor but still sent a mass email saying that they were advising everyone to change their passwords. a classmate of mine in the software systems program's attitude was basically "oh well, who cares?" and I just facepalmed internally.

there are maybe 3 websites I have come across that instead first send a confirmation email to your current inbox and after you confirm on that, then you get a confirmation email on the new email inbox. which isn't perfect but I feel like it's a bit more sensical and the best you can do without involving 2FA.

even then, that's also susceptible to the situation I described above if the user is always logged into their email.

I find it odd that websites don't prompt for a password as part of the email update process (or better yet 2FA with an app as even prompting for a password isn't a guarantee if the user has the password manager as an extension in their browser and they recently unlocked it before leaving their session unattended) to ensure that email changes are always done by the account owner.

I went down the path of thinking about switching to Passkeys but it seems like more hassle than it is worth, so I hoped this community could tell me if I am crazy.

I use Bitwarden to generate and save passwords for anything important and always use an authentication app when the option is present. I never use the same password. Sadly, most Canadian banks are awful and only allow SMS 2FA if anything at all. That said, of the two banks I primarily use, one does allow an authentication app and the other uses its own app to send authentication codes.

I always read that Passkeys are better for people who are lazy/bad with their passwords. For someone like me, is the security practically the same or is there still some benefit to switching everything I can to Passkeys?