Thoughts on how I could improve my network security?
-
I'm not a fan of UTMs, and neither is Jared. Both of us share the idea that mashing lots of functions into your router is a bad idea. A normal firewall is insanely simple and just access controls on routing, which is fine. But UTM functions do not below in the router. They are intensive, need totally different types of maintenance, and use very different profiles. If you want UTM-like functionality, I would essentially always put it on a VM and send traffic to it from the router, not have the router itself do that work.
-
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
-
Before looking at UTM, I'd be 100% sure that my AV infrastructure was 100% where I wanted it to be with zero issues, good central control and monitoring and so forth. UTM, as we had just discussed in another thread, is LAN based security breaking modern netowrk models and puts you at huge risk of people thinking that it excuses them from other good security practices. It can be the thing that makes people allow insecurity to creep into the network. So be very careful how you approach it.
-
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend
-
@beta said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend
They are the best in the business. If you can afford them, though. Not cheap stuff.
-
I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).
I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?
-
@beta said in Thoughts on how I could improve my network security?:
I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).
That's basically the minimum bar to even say that you have AV
-
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?
Correct. Firewall for firewall, VMs for server functions. Still Palo Alto, of course, just their software products, not their appliances.
-
-
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
-
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
That's always the real question. I get that there is money to spend, use it or lose it, but still evaluating the real risk and concern is important. What's the itch that is attempting to be scratched?
-
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
-
@dashrender said in Thoughts on how I could improve my network security?:
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
I'd agree there. Cisco ASA were pretty craptastic even when they were new and supported. Start with getting a solid foundation of good gear. That won't use up much of the budget, but it will fix key problems instead of ignoring big issues to get fun toys. Worry about the toys after the core issues are resolved.
-
I'd also suggest if you're looking at Intrusion stuff, go with an IPS that can actually block attacks.
Alienvault makes a good SIEM.
-
Use it or lose it money is always tough. I agree on new firewalls. But beyond that, it's really hard to say. What kinds of things are you allowed to spend money on?
-
I would do something along this line:
Get good basic firewalls with nice rules setup.
Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose.
Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal.
-
I agree, good stuff.
-
@dashrender said in Thoughts on how I could improve my network security?:
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
I believe that they are.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
That's always the real question. I get that there is money to spend, use it or lose it, but still evaluating the real risk and concern is important. What's the itch that is attempting to be scratched?
So a little more info on our operation here. One of the things I'm concerned about is HIPAA adherence. We have a small department that has a contract with the state to collect some sensitive information from people. It's not even medical information, but they want us to follow HIPAA practices. I thought an IDS/IPS would be especially helpful here to safeguard this information and would help satisfy the state if they ask us what steps we take to secure the information. Of course we do the usual steps to safeguard the information such as it being restricted to only those users who need it via Active Directory permissions. Our users who collect the info are out in the field and their laptops are also using full disk encryption. We have multiple copies of backups onsite and offsite, etc., etc.
It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.