ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Thoughts on how I could improve my network security?

    Scheduled Pinned Locked Moved IT Discussion
    187 Posts 13 Posters 31.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      beta @JaredBusch
      last edited by

      @jaredbusch said in Thoughts on how I could improve my network security?:

      I would do something along this line:

      Get good basic firewalls with nice rules setup.

      Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose.

      Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal.

      Have you used Artic Wolf or AlienVault? How'd you like them?

      1 Reply Last reply Reply Quote 0
      • Reid CooperR
        Reid Cooper
        last edited by

        AlienVault has a lot of fans. Seems to be the popular choice.

        1 Reply Last reply Reply Quote 0
        • dave247D
          dave247 @scottalanmiller
          last edited by

          @scottalanmiller said in Thoughts on how I could improve my network security?:

          If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

          What's wrong with Sonicwall? We have that where I work..

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @dave247
            last edited by

            @dave247 said in Thoughts on how I could improve my network security?:

            @scottalanmiller said in Thoughts on how I could improve my network security?:

            If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

            What's wrong with Sonicwall? We have that where I work..

            High cost, low quality, bad vendor. Reverse the question... what's good about them?

            1. They are a UTM maker, something I think is generally fundamentally wrong as an approach.
            2. They claim to be for security but have hidden configuration that isn't documented, a big no no in security and IT.
            3. They intentationally set defaults to break things for no reason like SIP-ALG (SW is the #1 cause for VoIP issues.)
            4. They are expensive, many times the cost of equipment I consider to be much better.
            5. They essentially exist only, much like Meraki, to make sales people money. They are like Mary Kay or AmWay - no one buys them intentionally, they buy them from sales people to make them go away. They aren't good enough for people to go looking for them. But when the girl scouts come to your door, you feel bad and buy something small to make them leave, SonicWall is the cheapest thing you can buy from the vendors that sell them, it's a lot like unwanted Girl Scout cookies - you know they are expensive and unhealthy, but you feel you have to buy something.
            dave247D ObsolesceO 2 Replies Last reply Reply Quote 2
            • dave247D
              dave247 @scottalanmiller
              last edited by dave247

              @scottalanmiller said in Thoughts on how I could improve my network security?:

              @dave247 said in Thoughts on how I could improve my network security?:

              @scottalanmiller said in Thoughts on how I could improve my network security?:

              If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

              What's wrong with Sonicwall? We have that where I work..

              High cost, low quality, bad vendor. Reverse the question... what's good about them?

              1. They are a UTM maker, something I think is generally fundamentally wrong as an approach.
              2. They claim to be for security but have hidden configuration that isn't documented, a big no no in security and IT.
              3. They intentationally set defaults to break things for no reason like SIP-ALG (SW is the #1 cause for VoIP issues.)
              4. They are expensive, many times the cost of equipment I consider to be much better.
              5. They essentially exist only, much like Meraki, to make sales people money. They are like Mary Kay or AmWay - no one buys them intentionally, they buy them from sales people to make them go away. They aren't good enough for people to go looking for them. But when the girl scouts come to your door, you feel bad and buy something small to make them leave, SonicWall is the cheapest thing you can buy from the vendors that sell them, it's a lot like unwanted Girl Scout cookies - you know they are expensive and unhealthy, but you feel you have to buy something.
              1. So that's really just your opinion then..
              2. Can you elaborate on the "hidden configuration"?
              3. I have our VoIP running through a zone on our NSA 3600 with no issues
              4. Seems like everything is "expensive" and what you consider better is a matter of opinion
              5. I understand getting ripped off by salespeople who push products that the buyer may not truly need, but we've made use of our SonicWall NSA 3600 quite a bit. Its been rock solid. And it's not like it's just a dinky system that's been cobbled together by the manufacturer just to sell as an extra piece of expensive crap. There's a lot of depth to it and it has a lot of good tools and features.

              I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.

              I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

              ObsolesceO 1 Reply Last reply Reply Quote 0
              • ObsolesceO
                Obsolesce @scottalanmiller
                last edited by

                @scottalanmiller said in Thoughts on how I could improve my network security?:

                They are like Mary Kay

                LOL I liked that one

                1 Reply Last reply Reply Quote 0
                • ObsolesceO
                  Obsolesce @dave247
                  last edited by Obsolesce

                  @dave247 said in Thoughts on how I could improve my network security?:

                  I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
                  I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                  This is exactly how it is for me too.

                  I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

                  If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

                  dave247D 1 Reply Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce
                    last edited by

                    In my case it's cheaper to keep it around than to buy and implement a whole new preferred solution.

                    1 Reply Last reply Reply Quote 0
                    • dave247D
                      dave247 @Obsolesce
                      last edited by dave247

                      @tim_g said in Thoughts on how I could improve my network security?:

                      @dave247 said in Thoughts on how I could improve my network security?:

                      I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
                      I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                      This is exactly how it is for me too.

                      I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

                      If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

                      What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @dave247
                        last edited by

                        @dave247 said in Thoughts on how I could improve my network security?:

                        @tim_g said in Thoughts on how I could improve my network security?:

                        @dave247 said in Thoughts on how I could improve my network security?:

                        I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
                        I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                        This is exactly how it is for me too.

                        I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

                        If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

                        What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?

                        Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them.

                        Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach.

                        You wouldn't treat your database or even your website this way, why your security system?

                        dave247D 1 Reply Last reply Reply Quote 1
                        • dave247D
                          dave247 @scottalanmiller
                          last edited by

                          @scottalanmiller said in Thoughts on how I could improve my network security?:

                          @dave247 said in Thoughts on how I could improve my network security?:

                          @tim_g said in Thoughts on how I could improve my network security?:

                          @dave247 said in Thoughts on how I could improve my network security?:

                          I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
                          I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                          This is exactly how it is for me too.

                          I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

                          If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

                          What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?

                          Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them.

                          Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach.

                          You wouldn't treat your database or even your website this way, why your security system?

                          By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?

                          I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that? Also, for what it's worth, the SonicWall's GMS Analyzer is on a separate virtual machine.

                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @dave247
                            last edited by

                            @dave247 said in Thoughts on how I could improve my network security?:

                            By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?

                            I feel like you've missed everything I've ever said.

                            First of all, UTM never means Firewall. Those are two different things.

                            Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.

                            Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.

                            Where did you get the impression that I ever said anything of the sort?

                            dave247D 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @dave247
                              last edited by

                              @dave247 said in Thoughts on how I could improve my network security?:

                              I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that?

                              Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM?

                              Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network?

                              The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it?

                              dave247D 1 Reply Last reply Reply Quote 1
                              • dave247D
                                dave247 @scottalanmiller
                                last edited by

                                @scottalanmiller said in Thoughts on how I could improve my network security?:

                                @dave247 said in Thoughts on how I could improve my network security?:

                                By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?

                                I feel like you've missed everything I've ever said.

                                First of all, UTM never means Firewall. Those are two different things.

                                Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.

                                Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.

                                Where did you get the impression that I ever said anything of the sort?

                                I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.

                                I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing.

                                scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • dave247D
                                  dave247 @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Thoughts on how I could improve my network security?:

                                  @dave247 said in Thoughts on how I could improve my network security?:

                                  I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that?

                                  Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM?

                                  Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network?

                                  The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it?

                                  This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @dave247
                                    last edited by

                                    @dave247 said in Thoughts on how I could improve my network security?:

                                    @scottalanmiller said in Thoughts on how I could improve my network security?:

                                    @dave247 said in Thoughts on how I could improve my network security?:

                                    By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?

                                    I feel like you've missed everything I've ever said.

                                    First of all, UTM never means Firewall. Those are two different things.

                                    Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.

                                    Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.

                                    Where did you get the impression that I ever said anything of the sort?

                                    I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.

                                    I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing.

                                    Not quite. A router with ACLs is a firewall. A firewall with routing is a router. In theory, but only in theory, you can make a router without ACLs, but no one has done so in decades. In theory you can make a non-routing firewall (it's called a bridging firewall) but in reality, again, none has been made that doesn't have the router function.

                                    Botton line is that router and firewall are literally the same thing for all possible use cases. They two things are just functions of routers. All routers are firewalls, all firewalls are routers. The two cannot, for all intents and purposes, be separated.

                                    This is very important, because firewall means router, but UTM doesn't mean firewall. So understanding this is key to understanding what I said. If you associate the wrong terms together, it will sound like I said what it seems like you reacted to.

                                    1 Reply Last reply Reply Quote 1
                                    • scottalanmillerS
                                      scottalanmiller @dave247
                                      last edited by

                                      @dave247 said in Thoughts on how I could improve my network security?:

                                      This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system.

                                      Loads and loads of people swear by Microsoft's SBS server, too. It "does a good job" until you realize that it generally costs too much and introduces risk. Remember, that your current UTM "does a good job for you" cannot be used as an indicator of if it is a good idea. That's not how risk assessment ever can work. That's the "look mom, no seatbelt" problem.

                                      The problem with security and risk is that things always seem great until something goes wrong. And often when things go wrong, you don't actually know (the nature of security - a good breach you will never know about.) It's just like Russian roulette, five out of six players thing it is a perfectly safe game.

                                      Can MS SBS server or a UTM do the job? Yes. Are they a good design or able to do the job as well as a better system design or do they follow industry best practices? No, of course not.

                                      None of this is vague or my proping my "opinion", this has been an industry standard practice for decades taught by everyone in the administration space. The idea of separating services for reliability and control has been a core tenant of basic administration education since low before I was in IT, which is a very long time.

                                      1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @dave247
                                        last edited by

                                        @dave247 said in Thoughts on how I could improve my network security?:

                                        @scottalanmiller said in Thoughts on how I could improve my network security?:

                                        @dave247 said in Thoughts on how I could improve my network security?:

                                        By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?

                                        I feel like you've missed everything I've ever said.

                                        First of all, UTM never means Firewall. Those are two different things.

                                        Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.

                                        Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.

                                        Where did you get the impression that I ever said anything of the sort?

                                        I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.

                                        If you didn't, they why did you respond to something so totally backwards from what I had said? What is the above responding to?

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.

                                          Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.

                                          So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.

                                          jmooreJ 1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            Also, it's important to remember that just because something isn't the "best way to do it" doesn't imply that the other option doesn't work, just that it isn't as good. Just like how RAID 6 almost always works, even in cases where RAID 10 would have been better. A better design doesn't imply, at all, that non-best designs won't work, only that they don't work as well.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 9
                                            • 10
                                            • 3 / 10
                                            • First post
                                              Last post