Network Security - UTM

scottalanmiller

@Dashrender said:

If you go to Scott's no VPN SaaS solution, you will loose those features as well, unless you upgrade everyone to Windows 10 and move to Azure AD.

That's why I asked what was running over it.

Dashrender

Scott - What is your proposal for managing widely dispersed Windows machines when not using AD? Let's assume that we don't want the end user to have local admin rights - what kind of MDM like solution would you recommend?

Of course we don't know if @hobbit666 uses AD today, but assuming he does, how does he resolve that?

Of course things like file shares can be handled by OwnCloud or SharePoint, or even something like DropBox.

scottalanmiller

@Dashrender said:

Scott - What is your proposal for managing widely dispersed Windows machines when not using AD? Let's assume that we don't want the end user to have local admin rights - what kind of MDM like solution would you recommend?

Some places even go to just using a local admin account tracked by the central IT office. Not ideal, but it works. As an MSP, we see this all the time because lots of SMBs won't pay for AD.

Dashrender

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT)

LOL - is it your job to worry about them moaning that BBC site is slow? is that important to the business? Sounds like an HR problem to me. But - if it is a requirement of the business for it to work, and work well, well that is your problem, and it sounds like you already solved that with the FTTC.

hobbit666

@Dashrender said:

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT)

LOL - is it your job to worry about them moaning that BBC site is slow? is that important to the business? Sounds like an HR problem to me. But - if it is a requirement of the business for it to work, and work well, well that is your problem, and it sounds like you already solved that with the FTTC.

Yes as it's got a plug on the end of the router it's down to us, and "internet" is an IT term so yes the connection being slow is out fault too

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

scottalanmiller

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

hobbit666

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

coliver

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

hobbit666

@coliver said:

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

I know it was more a generalisation of UTMs being marketed as a "must have" device to secure your network from threats.

Dashrender

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

It totally depends on what your goals are.

Personally, from a business perspective, filtering web access seems like a wise thing to do to shrink the exposure your network has to the internet (i.e. you don't users going anywhere and everywhere online).

I know this seems draconian, but do people really need internet access at work if there job doesn't require it's use?

Do people really need to be connected to FB, twitter, etc while doing a job that does not include those things?

Scott talks about the 98% getting in the way of the 2%, well allowing access to those types of things just seems to contribute to that.

Dashrender

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT)

LOL - is it your job to worry about them moaning that BBC site is slow? is that important to the business? Sounds like an HR problem to me. But - if it is a requirement of the business for it to work, and work well, well that is your problem, and it sounds like you already solved that with the FTTC.

Yes as it's got a plug on the end of the router it's down to us, and "internet" is an IT term so yes the connection being slow is out fault too

Well, If management has told you to fix the problem, then I guess you fix the problem. But it's not really about "it's got a plug, so it's IT's issue" The company really should be deciding.. is this a real problem that they want solved, or do they want correct behavior that is bad for their company?

scottalanmiller

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

Almost no one needs them, and they do zip for hackers. Absolutely nothing. That's not an all what a UTM is for. UTMs are mostly just hype. I have never encountered a shop that should have a UTM. Someone should have one, but it is extremely rare.

UTMs are for shops with a huge investment in LAN mentality and no way to get away from it. It's a kludge for architectural shortcomings. At best, UTMs do very little at great cost. At worst, they cause harm.

scottalanmiller

@hobbit666 said:

@coliver said:

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

I know it was more a generalisation of UTMs being marketed as a "must have" device to secure your network from threats.

If they need to be marketed, that would indicate that no one needs them. If they made sense, you woudn't need to spend money trying to sell them.

Dashrender

@scottalanmiller said:

@hobbit666 said:

@coliver said:

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

I know it was more a generalisation of UTMs being marketed as a "must have" device to secure your network from threats.

If they need to be marketed, that would indicate that no one needs them. If they made sense, you woudn't need to spend money trying to sell them.

Hence you barely if ever see advertising for Ubiquiti's EdgeRouter stuff.

scottalanmiller

@Dashrender said:

I know this seems draconian, but do people really need internet access at work if there job doesn't require it's use?

If it seems that way to you, imagine how it feels to the end users.

Once you go down this path, you no longer see your staff as your asset, you see them as the enemy.

Dashrender

@scottalanmiller said:

@Dashrender said:

I know this seems draconian, but do people really need internet access at work if there job doesn't require it's use?

If it seems that way to you, imagine how it feels to the end users.

Once you go down this path, you no longer see your staff as your asset, you see them as the enemy.

Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

scottalanmiller

@Dashrender said:

Do people really need to be connected to FB, twitter, etc while doing a job that does not include those things?

Need to, no. Should we block it? Why? It takes time, money and introduces risks to block it.

Unless you take away their cell phones, pagers, and such when they walk in the door, I'd say this makes no sense. Don't single out services we have a personal feeling about. It undermines IT and management's authority.

There are jobs that need isolation, and they REALLY take those things away and lock you in and have Faraday cages around the office. I've actually worked there. It really happens.

Unless you are doing that, you are not blocking access, you are just making things adversarial in the office.

scottalanmiller

@Dashrender said:

Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.

If the owners of the company don't agree, that makes IT the enemy.

Dashrender

I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.

Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.

scottalanmiller

@Dashrender said:

I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.

Only seems. Isn't really. FB is not a big infection vector. Making people upset and do weird things and disrespect IT and management, is a huge vector.