Network Security - UTM

scottalanmiller

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

hobbit666

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

coliver

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

hobbit666

@coliver said:

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

I know it was more a generalisation of UTMs being marketed as a "must have" device to secure your network from threats.

Dashrender

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

It totally depends on what your goals are.

Personally, from a business perspective, filtering web access seems like a wise thing to do to shrink the exposure your network has to the internet (i.e. you don't users going anywhere and everywhere online).

I know this seems draconian, but do people really need internet access at work if there job doesn't require it's use?

Do people really need to be connected to FB, twitter, etc while doing a job that does not include those things?

Scott talks about the 98% getting in the way of the 2%, well allowing access to those types of things just seems to contribute to that.

Dashrender

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT)

LOL - is it your job to worry about them moaning that BBC site is slow? is that important to the business? Sounds like an HR problem to me. But - if it is a requirement of the business for it to work, and work well, well that is your problem, and it sounds like you already solved that with the FTTC.

Yes as it's got a plug on the end of the router it's down to us, and "internet" is an IT term so yes the connection being slow is out fault too

Well, If management has told you to fix the problem, then I guess you fix the problem. But it's not really about "it's got a plug, so it's IT's issue" The company really should be deciding.. is this a real problem that they want solved, or do they want correct behavior that is bad for their company?

scottalanmiller

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

Almost no one needs them, and they do zip for hackers. Absolutely nothing. That's not an all what a UTM is for. UTMs are mostly just hype. I have never encountered a shop that should have a UTM. Someone should have one, but it is extremely rare.

UTMs are for shops with a huge investment in LAN mentality and no way to get away from it. It's a kludge for architectural shortcomings. At best, UTMs do very little at great cost. At worst, they cause harm.

scottalanmiller

@hobbit666 said:

@coliver said:

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

I know it was more a generalisation of UTMs being marketed as a "must have" device to secure your network from threats.

If they need to be marketed, that would indicate that no one needs them. If they made sense, you woudn't need to spend money trying to sell them.

Dashrender

@scottalanmiller said:

@hobbit666 said:

@coliver said:

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

I know it was more a generalisation of UTMs being marketed as a "must have" device to secure your network from threats.

If they need to be marketed, that would indicate that no one needs them. If they made sense, you woudn't need to spend money trying to sell them.

Hence you barely if ever see advertising for Ubiquiti's EdgeRouter stuff.

scottalanmiller

@Dashrender said:

I know this seems draconian, but do people really need internet access at work if there job doesn't require it's use?

If it seems that way to you, imagine how it feels to the end users.

Once you go down this path, you no longer see your staff as your asset, you see them as the enemy.

Dashrender

@scottalanmiller said:

@Dashrender said:

I know this seems draconian, but do people really need internet access at work if there job doesn't require it's use?

If it seems that way to you, imagine how it feels to the end users.

Once you go down this path, you no longer see your staff as your asset, you see them as the enemy.

Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

scottalanmiller

@Dashrender said:

Do people really need to be connected to FB, twitter, etc while doing a job that does not include those things?

Need to, no. Should we block it? Why? It takes time, money and introduces risks to block it.

Unless you take away their cell phones, pagers, and such when they walk in the door, I'd say this makes no sense. Don't single out services we have a personal feeling about. It undermines IT and management's authority.

There are jobs that need isolation, and they REALLY take those things away and lock you in and have Faraday cages around the office. I've actually worked there. It really happens.

Unless you are doing that, you are not blocking access, you are just making things adversarial in the office.

scottalanmiller

@Dashrender said:

Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.

If the owners of the company don't agree, that makes IT the enemy.

Dashrender

I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.

Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.

scottalanmiller

@Dashrender said:

I care less about blocking access to FB, etc because of productivity, that's not an IT concern (in this case), instead I'm concerned with keeping my network safe. Blocking them from anything not specifically business related seems like a prudent thing to do.

Only seems. Isn't really. FB is not a big infection vector. Making people upset and do weird things and disrespect IT and management, is a huge vector.

scottalanmiller

@Dashrender said:

Removing external email (or access to their personal email on company machines) seems like a great start in the battle against baddies getting into our network.

How do you do that, though? How do you do it without sending them to a different email option? Users will always work around you. Trying to block them is hubris and hubris is the enemy of security.

If you really need to secure people, give them broad access AND an isolated network. Find ways to make things easier for them, not harder.

Being secure means working as partners. The moment the company itself is seen as the enemy, security is no longer a possibility. You are into the realm of everyone acting against one another. You need to get people on the same team. Seeing them as the enemy makes that impossible.

Dashrender

@scottalanmiller said:

@Dashrender said:

Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.

If the owners of the company don't agree, that makes IT the enemy.

I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Ummm... Frankly I do. They are the enemy of security. End users are almost always the weakest link in a companies security.

Then every one should be fired. If you have enemies in the company, whoever hired them and retains them is a sabatour. Call the police.

If the owners of the company don't agree, that makes IT the enemy.

I understand why you're saying this, but the fact that users get scammed by phishing attaches and bad websites - are we just suppose to say "f it - we can't stop those things, there is nothing we can do to protect ourselves from them" and just always react to the problems they cause.

No, we actually address fixing the problem rather than implementing placebos.

Things that we can't do...

• Not have users
• Not have computers
• Not have people with risks

So given that any attempt to stop one of those three things will ultimately fail, we don't look to those things for security.

Instead we change how we think of security. For example... you are concerned with securing your network. Why the network? What is the risk to "the network?"

Let's say User A does something bad. How are they putting User B or the company in general, or the network, at risk? What are the vectors that are a concern? Start there.

Dashrender

getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.

While Crypto viruii today can't infect Owncloud, tomorrow they will find a way through locally running scripts using the logged on user's access. Granted it will never be as good as they have it now with file shares

scottalanmiller

@Dashrender said:

getting away from the LAN concept is definitely a plus in this situation. Treating the network connection as untrusted seems to be the only real solution, but not a great one at that.

Why not great?