ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Ubiquity Security appliance

    Scheduled Pinned Locked Moved IT Discussion
    ubiquitysecurityanti-virusintrusion preventionintrusion detection
    55 Posts 8 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NashBrydgesN
      NashBrydges @CCWTech
      last edited by

      @ccwtech said in Ubiquity Security appliance:

      @nashbrydges said in Ubiquity Security appliance:

      As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

      This is my fear as well. If something that (for a few hundred dollars extra) would prevent this event, it would be well worth it.

      I always present new clients with options. I'll make a recommendation about which might be best for their business and processes. I'll lay out the pros and cons of each and together we come to a decision.

      Let me tell you that the client that had to recover from their crypto infection asked me to set them up with a UTM. Even after walking them through the fact that this won't guarantee that they won't have this happen again, they still opted for the UTM. Combined with changes to how they manage inbound documents and Sophos' Sandstorm feature, the business owner tells me she sleeps better at night.

      1 Reply Last reply Reply Quote 1
      • JaredBuschJ
        JaredBusch @NashBrydges
        last edited by

        @nashbrydges said in Ubiquity Security appliance:

        @dashrender said in Ubiquity Security appliance:

        @nashbrydges said in Ubiquity Security appliance:

        @coliver said in Ubiquity Security appliance:

        @nashbrydges said in Ubiquity Security appliance:

        @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

        I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

        For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

        How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

        Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

        You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

        We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

        There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

        No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

        As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

        But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

        NashBrydgesN 1 Reply Last reply Reply Quote 3
        • JaredBuschJ
          JaredBusch @NashBrydges
          last edited by

          @nashbrydges said in Ubiquity Security appliance:

          Other service like OpenDNS Umbrella

          This also no longer exists. It is Cisco Umbrella, just like Strongarm.io is now WatchGuard DNSWatch.

          1 Reply Last reply Reply Quote 1
          • NashBrydgesN
            NashBrydges @JaredBusch
            last edited by

            @jaredbusch said in Ubiquity Security appliance:

            @nashbrydges said in Ubiquity Security appliance:

            @dashrender said in Ubiquity Security appliance:

            @nashbrydges said in Ubiquity Security appliance:

            @coliver said in Ubiquity Security appliance:

            @nashbrydges said in Ubiquity Security appliance:

            @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

            I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

            For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

            How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

            Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

            You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

            We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

            There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

            No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

            As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

            But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

            No, it didn't come from their email, it was a link to a cloud file share on some random domain.

            JaredBuschJ 1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @NashBrydges
              last edited by

              @nashbrydges said in Ubiquity Security appliance:

              @jaredbusch said in Ubiquity Security appliance:

              @nashbrydges said in Ubiquity Security appliance:

              @dashrender said in Ubiquity Security appliance:

              @nashbrydges said in Ubiquity Security appliance:

              @coliver said in Ubiquity Security appliance:

              @nashbrydges said in Ubiquity Security appliance:

              @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

              I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

              For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

              How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

              Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

              You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

              We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

              There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

              No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

              As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

              But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

              No, it didn't come from their email, it was a link to a cloud file share on some random domain.

              Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.

              JaredBuschJ NashBrydgesN 2 Replies Last reply Reply Quote 2
              • JaredBuschJ
                JaredBusch @NashBrydges
                last edited by

                @nashbrydges said in Ubiquity Security appliance:

                when the UTM manufacturer gathers malicious domain lists from a variety of sources

                Again this is different than the sources that Strongarm.io uses how?

                NashBrydgesN 1 Reply Last reply Reply Quote 1
                • JaredBuschJ
                  JaredBusch
                  last edited by JaredBusch

                  I totally get recommending the right product for the right reasons, but nothing you are arguing seems to be a valid reason.

                  1 Reply Last reply Reply Quote 1
                  • JaredBuschJ
                    JaredBusch @JaredBusch
                    last edited by

                    @jaredbusch said in Ubiquity Security appliance:

                    @nashbrydges said in Ubiquity Security appliance:

                    @jaredbusch said in Ubiquity Security appliance:

                    @nashbrydges said in Ubiquity Security appliance:

                    @dashrender said in Ubiquity Security appliance:

                    @nashbrydges said in Ubiquity Security appliance:

                    @coliver said in Ubiquity Security appliance:

                    @nashbrydges said in Ubiquity Security appliance:

                    @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

                    I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

                    For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

                    How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

                    Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

                    You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

                    We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

                    There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

                    No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

                    As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

                    But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

                    No, it didn't come from their email, it was a link to a cloud file share on some random domain.

                    Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.

                    @NashBrydges unless you are breaking your SSL yourself by letting your UTM perform a MitM attack on all your traffic.

                    NashBrydgesN 1 Reply Last reply Reply Quote 2
                    • NashBrydgesN
                      NashBrydges @JaredBusch
                      last edited by

                      @jaredbusch said in Ubiquity Security appliance:

                      @nashbrydges said in Ubiquity Security appliance:

                      @jaredbusch said in Ubiquity Security appliance:

                      @nashbrydges said in Ubiquity Security appliance:

                      @dashrender said in Ubiquity Security appliance:

                      @nashbrydges said in Ubiquity Security appliance:

                      @coliver said in Ubiquity Security appliance:

                      @nashbrydges said in Ubiquity Security appliance:

                      @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

                      I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

                      For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

                      How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

                      Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

                      You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

                      We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

                      There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

                      No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

                      As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

                      But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

                      No, it didn't come from their email, it was a link to a cloud file share on some random domain.

                      Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.

                      It was a malware laden file, and the user neglected to ensure the link was a good valid link. You're assuming it would have been served over SSL. I made no such assumption. Not sure that malware distributors always ensure their files are hosted from SSL protected shares.

                      Sophos also has a feature called Sandstrom which explodes documents before sending them to the user. A UTM AV may have scanned and blocked the file, it may not. Like I said, we'll never know for sure since the client didn't have the UTM in place.

                      JaredBuschJ 1 Reply Last reply Reply Quote 1
                      • NashBrydgesN
                        NashBrydges @JaredBusch
                        last edited by

                        @jaredbusch said in Ubiquity Security appliance:

                        @jaredbusch said in Ubiquity Security appliance:

                        @nashbrydges said in Ubiquity Security appliance:

                        @jaredbusch said in Ubiquity Security appliance:

                        @nashbrydges said in Ubiquity Security appliance:

                        @dashrender said in Ubiquity Security appliance:

                        @nashbrydges said in Ubiquity Security appliance:

                        @coliver said in Ubiquity Security appliance:

                        @nashbrydges said in Ubiquity Security appliance:

                        @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

                        I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

                        For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

                        How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

                        Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

                        You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

                        We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

                        There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

                        No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

                        As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

                        But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

                        No, it didn't come from their email, it was a link to a cloud file share on some random domain.

                        Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.

                        @NashBrydges unless you are breaking your SSL yourself by letting your UTM perform a MitM attack on all your traffic.

                        That never happens and is a totally bad setup.

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @NashBrydges
                          last edited by

                          @nashbrydges said in Ubiquity Security appliance:

                          @jaredbusch said in Ubiquity Security appliance:

                          @jaredbusch said in Ubiquity Security appliance:

                          @nashbrydges said in Ubiquity Security appliance:

                          @jaredbusch said in Ubiquity Security appliance:

                          @nashbrydges said in Ubiquity Security appliance:

                          @dashrender said in Ubiquity Security appliance:

                          @nashbrydges said in Ubiquity Security appliance:

                          @coliver said in Ubiquity Security appliance:

                          @nashbrydges said in Ubiquity Security appliance:

                          @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

                          I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

                          For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

                          How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

                          Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

                          You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

                          We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

                          There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

                          No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

                          As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

                          But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

                          No, it didn't come from their email, it was a link to a cloud file share on some random domain.

                          Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.

                          @NashBrydges unless you are breaking your SSL yourself by letting your UTM perform a MitM attack on all your traffic.

                          That never happens and is a totally bad setup.

                          Good.

                          1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @NashBrydges
                            last edited by JaredBusch

                            @nashbrydges said in Ubiquity Security appliance:

                            @jaredbusch said in Ubiquity Security appliance:

                            @nashbrydges said in Ubiquity Security appliance:

                            @jaredbusch said in Ubiquity Security appliance:

                            @nashbrydges said in Ubiquity Security appliance:

                            @dashrender said in Ubiquity Security appliance:

                            @nashbrydges said in Ubiquity Security appliance:

                            @coliver said in Ubiquity Security appliance:

                            @nashbrydges said in Ubiquity Security appliance:

                            @scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

                            I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

                            For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

                            How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

                            Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

                            You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?

                            We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?

                            There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.

                            No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.

                            As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

                            But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.

                            No, it didn't come from their email, it was a link to a cloud file share on some random domain.

                            Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.

                            It was a malware laden file, and the user neglected to ensure the link was a good valid link. You're assuming it would have been served over SSL. I made no such assumption. Not sure that malware distributors always ensure their files are hosted from SSL protected shares.

                            They do use SSL almost exclusively because it protects their payload unless the endpoint has MitM breaking the SSL to inspect the traffic.

                            @nashbrydges said in Ubiquity Security appliance:

                            Sophos also has a feature called Sandstrom which explodes documents before sending them to the user. A UTM AV may have scanned and blocked the file, it may not. Like I said, we'll never know for sure since the client didn't have the UTM in place.

                            Is Sandstorm an AV client on the endpoint? Then it is no different than any other endpoint AV. If it is on the router, then, it is useless unless you are doing MitM.

                            NashBrydgesN JaredBuschJ 2 Replies Last reply Reply Quote 0
                            • NashBrydgesN
                              NashBrydges @JaredBusch
                              last edited by

                              @jaredbusch said in Ubiquity Security appliance:

                              @nashbrydges said in Ubiquity Security appliance:

                              when the UTM manufacturer gathers malicious domain lists from a variety of sources

                              Again this is different than the sources that Strongarm.io uses how?

                              Just like different AV vendors perform differently in what they identify and block, the same is true for UTMs.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @CCWTech
                                last edited by

                                @ccwtech said in Ubiquity Security appliance:

                                @nashbrydges said in Ubiquity Security appliance:

                                As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.

                                This is my fear as well. If something that (for a few hundred dollars extra) would prevent this event, it would be well worth it.

                                But you can't know this. And a few hundred dollars? I don't consider $1100 vs $97 a few hundred.

                                1 Reply Last reply Reply Quote 0
                                • NashBrydgesN
                                  NashBrydges @JaredBusch
                                  last edited by

                                  @jaredbusch said in Ubiquity Security appliance:

                                  They do use SSL almost exclusively because it protects their payload unless the endpoint has MitM breaking the SSL to inspect the traffic.

                                  Source please.

                                  @jaredbusch said in Ubiquity Security appliance:

                                  Is Sandstorm an AV client on the endpoint? Then it is no different than any other endpoint AV. If it is on the router, then, it is useless unless you are doing MitM.

                                  Sandstorm is not on the endpoint. Files are analyzed through a Sophos cloud service via the UTM before being allowed through to the user.

                                  JaredBuschJ DashrenderD 3 Replies Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch @JaredBusch
                                    last edited by

                                    @jaredbusch said in Ubiquity Security appliance:

                                    They do use SSL almost exclusively because it protects their payload unless the endpoint has MitM breaking the SSL to inspect the traffic.

                                    Even before Let's Encrypt let them fully automate random domain names onto SSL easily, it was cheap to simply buy a cert to handle it.

                                    1 Reply Last reply Reply Quote 0
                                    • JaredBuschJ
                                      JaredBusch @NashBrydges
                                      last edited by

                                      @nashbrydges said in Ubiquity Security appliance:

                                      Sandstorm is not on the endpoint. Files are analyzed through a Sophos cloud service via the UTM before being allowed through to the user.

                                      So you are using MitM.

                                      NashBrydgesN 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @NashBrydges
                                        last edited by

                                        @nashbrydges said in Ubiquity Security appliance:

                                        @jaredbusch said in Ubiquity Security appliance:

                                        @nashbrydges said in Ubiquity Security appliance:

                                        when the UTM manufacturer gathers malicious domain lists from a variety of sources

                                        Again this is different than the sources that Strongarm.io uses how?

                                        Just like different AV vendors perform differently in what they identify and block, the same is true for UTMs.

                                        Of course. But overlap has to be something like 99.99% or else you have very bad AV in one spot or the other.

                                        1 Reply Last reply Reply Quote 1
                                        • DashrenderD
                                          Dashrender @NashBrydges
                                          last edited by

                                          @nashbrydges said in Ubiquity Security appliance:

                                          @jaredbusch said in Ubiquity Security appliance:

                                          They do use SSL almost exclusively because it protects their payload unless the endpoint has MitM breaking the SSL to inspect the traffic.

                                          Source please.

                                          @jaredbusch said in Ubiquity Security appliance:

                                          Is Sandstorm an AV client on the endpoint? Then it is no different than any other endpoint AV. If it is on the router, then, it is useless unless you are doing MitM.

                                          Sandstorm is not on the endpoint. Files are analyzed through a Sophos cloud service via the UTM before being allowed through to the user.

                                          Sure files not downloaded via TLS.

                                          1 Reply Last reply Reply Quote 0
                                          • JaredBuschJ
                                            JaredBusch @NashBrydges
                                            last edited by

                                            @nashbrydges said in Ubiquity Security appliance:

                                            Source please.

                                            News articles I have read over the last few years.

                                            Random google result:
                                            http://www.eweek.com/security/more-hackers-building-ssl-encryption-into-malware-zscaler-finds

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post