New customer - greenfield setup
-
@dashrender said in New customer - greenfield setup:
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.
Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.
-
@notverypunny said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.
Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.
I personally do refuse to use any guest WiFi that requires the installation of a third party cert to use. That said - I can only recall this happening one time.
I'm not against DNS filtering - all the things Pete.S mentioned, but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.
-
@gjacobse said in New customer - greenfield setup:
Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.
We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.
The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.
These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
Production
IOT - internet only
Guest
medical equipment - future potential -
@dashrender said in New customer - greenfield setup:
@gjacobse said in New customer - greenfield setup:
Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.
We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.
The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.
These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
Production
IOT - internet only
Guest
medical equipment - future potentiallol - well as much as I don't like them - we use Cisco and Meraki... I think we have almost 30 vlans and a dozen SSIDs.. but some are getting added to retire others.
-
@gjacobse said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@gjacobse said in New customer - greenfield setup:
Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.
We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.
The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.
These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
Production
IOT - internet only
Guest
medical equipment - future potentiallol - well as much as I don't like them - we use Cisco and Meraki... I think we have almost 30 vlans and a dozen SSIDs.. but some are getting added to retire others.
I would never recommend those to a client. If they demand it, or it's already setup - that's different...
I'd rather look at aurba - though I've heard some positive things about TPLink.
The think for me now is the controller -
-
@dashrender said in New customer - greenfield setup:
@notverypunny said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.
Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.
I personally do refuse to use any guest WiFi that requires the installation of a third party cert to use. That said - I can only recall this happening one time.
I'm not against DNS filtering - all the things Pete.S mentioned, but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.
Absolutely this too. A FW shouldn't have to do anything like MiTM for basic webfiltering, just block traffic out to undesirable sites. Your subscription service is keeping that list of sites up to date and accessible to you..... The SO's place of work wants to to dpi / MiTM on their guest wifi, so guess who's data plan got upgraded recently.
-
@notverypunny said in New customer - greenfield setup:
The SO's place of work wants to to dpi / MiTM on their guest wifi, so guess who's data plan got upgraded recently.
Damn.. that sucks!
-
@gjacobse said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@gjacobse said in New customer - greenfield setup:
Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.
We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.
The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.
These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
Production
IOT - internet only
Guest
medical equipment - future potentiallol - well as much as I don't like them - we use Cisco and Meraki... I think we have almost 30 vlans and a dozen SSIDs.. but some are getting added to retire others.
knock wood beyond the price I can't say anything too bad about Meraki for wireless.... firewalls is another topic, but we've got their wireless deployed at 10 or so sites and it just works. The only thing I've had to do that's a bit outside the norm is script a nightly reboot of the antennas and it was setup strictly as a peace of mind thing as the gear is getting on in age.
-
@notverypunny said in New customer - greenfield setup:
@gjacobse said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@gjacobse said in New customer - greenfield setup:
Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.
We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.
The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.
These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
Production
IOT - internet only
Guest
medical equipment - future potentiallol - well as much as I don't like them - we use Cisco and Meraki... I think we have almost 30 vlans and a dozen SSIDs.. but some are getting added to retire others.
knock wood beyond the price I can't say anything too bad about Meraki for wireless.... firewalls is another topic, but we've got their wireless deployed at 10 or so sites and it just works. The only thing I've had to do that's a bit outside the norm is script a nightly reboot of the antennas and it was setup strictly as a peace of mind thing as the gear is getting on in age.
Price is what completely kills it Meraki's viability. It's one of if not the most expensive stuff out there - and for what? - seriously - what?
Also, if you don't pay their monthly/yearly fees - they just stop functioning.
We had Cisco installed here in 2008, and replaced in 2017 with Unifi - there have been zero issues with the Unifi equipment since install.
Sure APs die - and you just replace them - I've had one out of 18 die since 2018. -
@dashrender said in New customer - greenfield setup:
I'm kinda stuck between - should they go with a NGFW or a EdgeRouter?
Should they go DNS filtering or NGFW with filtering subscription?First, NGFW isn't really a thing. It's a marketing term for old products. EdgeRouter is an NGFW under some descriptions. Unifi USG always is. They just don't use that scam marketing term.
You want to discuss features here, not marketing terms.
-
@dashrender said in New customer - greenfield setup:
They want web filtering to keep porn/guns/violence, etc at bay.
I'd start by moving this from a hobby/emotional discussion to a business one. What "business value" are they looking for. The point here isn't to make them act like a business if they aren't one, but to use this process to define their real goal because the answer to your question is determined by that.
Right now, maybe they did a bunch of research and business thoughts and know that they need some filtering. unlikely, but plausible. But they aren't relaying enough of that information to you (suggesting that there is none) so you don't know how to solve the problem because you are lacking the information necessary to do so that had to be used to make a business decision to do so in the first place.
Also, if this WAS a business decision, how did they reach it without talking to their IT and getting the IT costs and options as part of the process? They can't, ergo we know it's an emotional response. But that's separate.
-
@dashrender said in New customer - greenfield setup:
Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)
Nope, that's physically impossible. These types of devices I see as reckless because they are often poorly maintained, often made by questionable vendors (Sophos is fine, but many others are less respectable) and provide a single point of total egress of your data with nearly all assumed protections removed.
-
@dashrender said in New customer - greenfield setup:
With the appliance - we could also have multilayers of email scanning - i.e. MX points to Sophos - Sophos then sends to M365.
That means all email has to enter your network, be scanned, then exit your network. There's a reason no one ever suggests this. It's crazy messy and absolutely terrible design. You aren't a datacenter, using a device that has no business being an email scanner ever EVER and doing so as a hairpin to the Internet is just nuts.
-
@jaredbusch said in New customer - greenfield setup:
Can they not just discipline employees? Because this is jsut stupid talking.
No way around this. They see themselves as having a management problem and they are trying to find a scapegoat in IT.
-
@dashrender said in New customer - greenfield setup:
It's less about employees and what is accessed on their guest WiFi. They will have clients spending hours in the office, likely on the internet much of that time.
So they are acting like an ISP. They should act like an ISP and not care. I get WHY they want to care, but it's not their place to do so. Either provide them Internet access or don't. That's makes this an asinine discussion. We are talking about a huge investment in tech, that won't even work, to try to control the private behaviour of customers just to satisfy an emotional need for control? That takes this from "hard and dumb" to "impossible and absolutely stupid beyond belief."
-
@dashrender said in New customer - greenfield setup:
@jaredbusch said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
Should they go DNS filtering or NGFW with filtering subscription?
2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.
I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.
Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.
No matter what, someone that wants to work around this will. My phone, for example, would never even know that you blocked me because it always establishes a VPN first. So you'd know that I had a VPN, but that would be the end of it. All that SOPHOS magic, those certs, those IP blocks... none of it would ever show up. All that cost and me, not even trying to work around anything, would totally not be affected.
-
@dashrender said in New customer - greenfield setup:
Sadly there's more requirements for companies to keep their workspaces harassment free, etc.
No there isn't. There's no requirement or suggestion that any company can or should police visitors use of the internet. Someone lied to you. If that's a requirement, it would exist at the ISP level.
-
@dave247 said in New customer - greenfield setup:
For basic site filter, would you consider OpenDNS? Then, like Jared said, discipline the employees.
Not employees. So you can't use DNS filtering nor can you discipline. It's about controlling customers. So.... nothing will work.
-
@dashrender said in New customer - greenfield setup:
These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be).
The limit is 4 SSID. Of course that also means 4 VLAN max, since the VLAN is tied to the SSID. But the limit is not VLAN.
-
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Actually I'd say the opposite. DNS is adequate in essentially all business environments because doing nothing is also adequate. DNS filtering helps to prevents accidents and that can be a good thing. But this isn't about business or employees, it's an emotionally driven attempt to control the public that are customers, but without refusing to do business with said customers.
If this was a business need, then DNS filtering is the only thing that makes sense. It assists employees trying to be good to stay good. It doesn't actually break anything that shouldn't be broken.
But in this scenario, it's useless.