Arg! The money spent the month before I stated here.
-
@jaredbusch I know firewalls use rules. In Sophos and Sonicwall and others, I'm sure, you can define a host, network and service and call it something like ServerA and drag and drop the hosts/ip address, services and networks to create the rules.
-
@storageninja said in Arg! The money spent the month before I stated here.:
@wrx7m said in Arg! The money spent the month before I stated here.:
@jaredbusch Right but my question was related to ACLs, not IDS/IPS.
Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...
The modern argument against proxy and IDS/IPS is that you have to set it up so that your proxy device is the man in the middle and decrypts and encrypts everything again.
-
@wrx7m said in Arg! The money spent the month before I stated here.:
@storageninja said in Arg! The money spent the month before I stated here.:
@wrx7m said in Arg! The money spent the month before I stated here.:
@jaredbusch Right but my question was related to ACLs, not IDS/IPS.
Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...
The modern argument against proxy and IDS/IPS is that you have to set it up so that your proxy device is the man in the middle and decrypts and encrypts everything again.
That was an old argument, too
-
@scottalanmiller Right, but now almost everything is HTTPS.
-
@storageninja said in Arg! The money spent the month before I stated here.:
@wrx7m said in Arg! The money spent the month before I stated here.:
@jaredbusch Right but my question was related to ACLs, not IDS/IPS.
Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...
No compliance related things, yet at least.
-
@wrx7m said in Arg! The money spent the month before I stated here.:
@scottalanmiller Right, but now almost everything is HTTPS.
Oh, I see what you mean.
-
@wrx7m said in Arg! The money spent the month before I stated here.:
@jaredbusch I know firewalls use rules. In Sophos and Sonicwall and others, I'm sure, you can define a host, network and service and call it something like ServerA and drag and drop the hosts/ip address, services and networks to create the rules.
An ACL provides rules applied to IP address and ports.
What you are describing is not an ACL. It is a group or list of information applied to an ACL.
In the VyOS/EdgeMax world, you can see an example in my router snippet above. I have a firewall group named Strongarm.io that is an address group of two addresses.
That group is applied to rule 1 of ACL named WAN_OUT
-
@wrx7m said in Arg! The money spent the month before I stated here.:
@jaredbusch I know firewalls use rules. In Sophos and Sonicwall and others, I'm sure, you can define a host, network and service and call it something like ServerA and drag and drop the hosts/ip address, services and networks to create the rules.
An object based rule engine. This is what most modern firewalls have moved to.
-
@wrx7m Inbound attacks on systems you are hosting it's still an issue (and yes, your IDS/F5/LB's need to terminate SSL for this to work). On the outbound traffic, there's a lot that can be inferred from what/where you are talking to. If someone is phoning home to a known bot C&C system then you likely want to know that...
-
A lot of malware such as ransomware is delivered from legitimate SSL sites that have been hacked.
So if you don't have some kind of SSL Inspection (like SonicWALL's SSL-DPI), then you are solely relying on your users' AV and ability to spot fake "java update" ads for example.
-
@tim_g said in Arg! The money spent the month before I stated here.:
A lot of malware such as ransomware is delivered from legitimate SSL sites that have been hacked.
So if you don't have some kind of SSL Inspection (like SonicWALL's SSL-DPI), then you are solely relying on your users' AV and ability to spot fake "java update" ads for example.
You are relying on the same thing in both cases, just one runs no a central processor and one runs closer to the end user. Same scanning functionality, though.
-
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
-
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
A lot of malware such as ransomware is delivered from legitimate SSL sites that have been hacked.
So if you don't have some kind of SSL Inspection (like SonicWALL's SSL-DPI), then you are solely relying on your users' AV and ability to spot fake "java update" ads for example.
You are relying on the same thing in both cases, just one runs no a central processor and one runs closer to the end user. Same scanning functionality, though.
Security in layers... why not one at the gateway?
-
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass do through the firewall (like a pc connecting to the internet). Both together are better.
The SonicWALL may catch something the other does not.
The SonicWALL may deny something that an unprotected device can't see... like an iPAD with no antivirus or a cell phone on the wireless network.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
-
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
-
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
I meant the user spot fake ads there.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
-
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
Have fun with that.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
Have fun with that.
What makes you think your favored solution isn't using ClamAV and Snort under the hood?