Network Security - UTM
-
@hobbit666 said:
I think the idea coming from the one supplier was to create a "MPLS" using Sophos.
So the problems there...
- You are paying for MPLS but looking to ignore it and buy something that replicates it "again." That's not good spending.
- You are just talking about running a hub and spoke VPN instead of using the MPLS.
- Someone let the enemy in the gates and you have someone attempting to screw you in a position of giving advice that has none of your company's interest in mind. You've got a fundamental security issue that no technology can fix.
-
@hobbit666 said:
The other option we have is find a MPLS provider that CAN give us bandwidth monitoring and web filtering lol
That's not the job of an MPLS provider. That's like asking your road construction crew for a good radio in your car. They make the roads, YOU need to buy the right car. You don't replace a good road crew because you don't like their lack of car reselling options.
Why do you need bandwidth monitoring and web filtering? What is the goal with them?
Why not just do those things at the gateway? Why do them between the sites?
-
@scottalanmiller said:
Why do you need bandwidth monitoring and web filtering? What is the goal with them?
Why not just do those things at the gateway? Why do them between the sites?
Stop people from using facebook/youtube all day and block sites like Adult material. Also to make sure people aren't using things lie Bit Torrent etc.
Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.And yes the Sophos solution would be Hub and spoke
-
@scottalanmiller said:
- You are paying for MPLS but looking to ignore it and buy something that replicates it "again." That's not good spending.
We are but considering replacing the current provider so that would be gone
-
Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.
MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway.
-
@hobbit666 said:
We are but considering replacing the current provider so that would be gone
That's fine, if you have no need for MPLS, but MPLS is what enables what you want. Doing the same thing with VPNs would be very obnoxious. You'd be far better off with Facebook and YouTube on the network than doing that. It would be cutting off your nose to spite your face.
I'm all for moving away from expensive MPLS circuits, I rarely find that they make sense. But everything you are talking about designing around is based on MPLS, not VPN, utilization.
-
@hobbit666 said:
And yes the Sophos solution would be Hub and spoke
Which is slow and cumbersome. What services are delivered from the hub?
-
@scottalanmiller said:
Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.
MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway.
See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)
-
@hobbit666 said:
Stop people from using facebook/youtube all day and block sites like Adult material. Also to make sure people aren't using things lie Bit Torrent etc.
Just put in a web filter then, don't look at UTM. UTM is the wrong technology. If you really need this stuff, you can handle it the "easy" way which is stopping people from accidentally doing things that you don't want by just redirecting DNS. If this is a security matter then really you need to ask HR why they are not making a policy against it but asking IT to do something and/or not enforcing the policy and making a mockery of their jobs.
If you must block content, then you use a web filter like Websense or Squid.
-
@hobbit666 said:
See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)
Right, they are the ISP, not the gateway. Your gateway is where the ISP connects to your business.
Think of it like the road, the GATE is at the end of your driveway. You don't ask the local village to maintain your gate, you install a gate and maintain it yourself. It's the point where your personal road (driveway) meets the public one.
-
@scottalanmiller said:
@hobbit666 said:
And yes the Sophos solution would be Hub and spoke
Which is slow and cumbersome. What services are delivered from the hub?
It's where out Dynamics GP sits and all the sites access it via Citrix XenApp. That's all the MPLS is for mainly, then as I mentioned we get Internet access from it too.
-
@scottalanmiller said:
@hobbit666 said:
See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)
Right, they are the ISP, not the gateway. Your gateway is where the ISP connects to your business.
Think of it like the road, the GATE is at the end of your driveway. You don't ask the local village to maintain your gate, you install a gate and maintain it yourself. It's the point where your personal road (driveway) meets the public one.
But where would our gate sit? In there datacentre (as we have asked and we can't)?
As no "internet" traffic passes through us at HO, so each store site when they go on internet it does through ISP/MPLS what ever you label it and out, we have no control.
-
@hobbit666 said:
It's where out Dynamics GP sits and all the sites access it via Citrix XenApp. That's all the MPLS is for mainly, then as I mentioned we get Internet access from it too.
I'm confused. The reason for having XenApp would be to not have MPLS (or VPN.) What function do the MPLS or VPN (Sophos) Red play, then, if you already have XenApp?
Or, to put it another way, it sounds like you've already designed a "LANless" infrastructure but are spending what is likely a fortune creating complexity of extending the LAN to many sites without benefit. The MPLS or the VPN would just be "in the way" making things work more poorly while costing more, right? What benefit to they potentially add?
-
@hobbit666 said:
But where would our gate sit? In there datacentre (as we have asked and we can't)?
Not "would it", but "does it." You must have a router connecting to your MPLS, right? You don't let the MPLS hand you Ethernet and you just plug it into your core switch and have the world open to your network, right?
What do you mean you can't have a gateway router in your datacenter? Even your home has one of these.
-
@hobbit666 said:
As no "internet" traffic passes through us at HO, so each store site when they go on internet it does through ISP/MPLS what ever you label it and out, we have no control.
Then each site has its own gateway. You always have control, that cannot be taken away. The ISP has zero say in that (they can't, it doesn't make sense from a networking perspective.)
It is physically possible for an ISP to provide gateway services for you, but never recommended. But they cannot ever take that capability away from you.
-
At the moment everything ISP/MPLS is controlled by them we pay for a managed service we don't have access to the routers at sites, they control them they do the firewall bits etc etc. Yes we could but extra Firewall/UTMs in to separate they from us but this wasn't done as they said they could provide Web Filtering with the service, when they switched it on it failed and was told it wouldn't work for us etc lol
(Please remember this was all done before I arrived so it's what I got to work with) -
@hobbit666 said:
At the moment everything ISP/MPLS is controlled by them we pay for a managed service we don't have access to the routers at sites, they control them they do the firewall bits etc etc. Yes we could but extra Firewall/UTMs in to separate they from us but this wasn't done as they said they could provide Web Filtering with the service, when they switched it on it failed and was told it wouldn't work for us etc lol
(Please remember this was all done before I arrived so it's what I got to work with)Okay, so the issue is paying for a service that hasn't been provided and not putting in the proper service when it wasn't provided.
Sounds simple, install the gateways and you are done. It's fine use a managed gateway service, when it works, although you can see why I advise against that kind of thing. You don't want your ISP to control anything more than necessary, ever. It's a fundamentally bad idea. They own you, the ability to extort, even accidentally, is incredible. You want to keep your ISP relationship as lean as possible.
-
So would you recommend (or should it be like this anyway?) having the MPLS provided as is but move the internet "Gateway/Breakout" to our control and separate connection.
i.e. something like this:--
So then the MPLS people are only providing the connection to the WAN network. Then we can drop in a UTM or what ever we need to control/monitor what happening. -
@hobbit666 said:
So would you recommend (or should it be like this anyway?) having the MPLS provided as is but move the internet "Gateway/Breakout" to our control and separate connection.
i.e. something like this:--
So then the MPLS people are only providing the connection to the WAN network. Then we can drop in a UTM or what ever we need to control/monitor what happening.For very special cases, yes. But this is a huge investment into very old style "LAN" thinking. I would generally advice very much the opposite.
-
Things that I would typically advise, given the limited scope of knowledge that I have here...
- Avoid any investment into LAN style thinking.
- Remove the MPLS
- Move to traditional direct Internet WAN links.
- Do no VPN
- Lower costs and increase system performance
- Only consider tight network control if truly necessary, normally it is a negative, not a positive. Only in less than normal circumstances does network control of end users result well. It carries high cost and often negative results.
- Any control or security should be done at the LAN edge of each site with no association between the sites.
