Thoughts on how I could improve my network security?
-
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
-
@dashrender said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
See that's where I don't agree - I don't think they don't care, I consider it that they are ignorant - they simply don't know.
I realize that I've been incorrect about ignorant in the past. In this case, I can't believe anyone can be that ignorant as a functional adult, hence my point. It would requiring ignoring basic common sense and adult skills to not understand this, hence why ignorant is wrong because ignorant means uninformed, rather than a state of having ignored. The real issue has to be a state of having ignored obvious knowledge.
This boils down to common knowledge comments - but really, what is common knowledge anymore?
Well this certainly is. If anything is, this is. And it isn't common knowledge, it's common sense. It doesn't require having been told or trained. It's just basic human interactions.
This is where the typical trusting nature of humans dissuades your argument.
Where do you see this in other aspects of life? This seems like a weird statement. I'd have guessed that most people are overly distrusting, not that their incredible sense of trust makes even people who warn them not to trust them, to trust them anyway.
Also, what does trusting someone that tells them not to trust them even mean? You have to either distrust that they warned you, or distrust what they warned you about. Distrust is guaranteed in that situation.
-
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
Especially real receivers that have radio and crap in them. That's just silly. Why listens to the radio from a receiver?
But all that electronics in the box, it just makes the audio worst. I even moved away from pre-amps for that reason.
-
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
LOL - of course - but the expense of splitting out all of the components isn't worth it for me personally, not to mention that I'm not an audiophile in any type of way, so unbelievably great audio quality isn't something I need or care about.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
Especially real receivers that have radio and crap in them. That's just silly. Why listens to the radio from a receiver?
But all that electronics in the box, it just makes the audio worst. I even moved away from pre-amps for that reason.
I'll start a new thread.
-
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
LOL - of course - but the expense of splitting out all of the components isn't worth it for me personally, not to mention that I'm not an audiophile in any type of way, so unbelievably great audio quality isn't something I need or care about.
Doesn't cost more, can even cost less. It's actually audiophilia where I learned this best. I had forgotten this. But it was because I came from that world that I was so well versed that enterprise class stuff was normally cheaper than mid-range. It's the mid-range / prosumer world where they normally get you. This is where UTM is. It's where someone knows they want to be "cooler than consumer" but aren't yet prepared to do proper research or treat themselves like enterprise (or Hi Fi). The result is someone that is easy to take advantage of - the UTM or receiver markets are where the big sales and big profits are.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
A lot of places will have SonicWALLs who haven't gotten it through an ITSP. Upper management made the decision to get a SonicWALL through their own research. And that's the way it is, in the real world. Not in Scott's world, but the real world.
Where Scott's world = "good business".
Scott never, ever suggested businesses made good decisions. Scott teaches how to make good decisions. Don't equate Scott's ideas of "what good looks like" with a misconception that I think the normal world looks good. The average business is idiotic and fails in under five years. "Normal" means abject failure in business.
I was pointing out how you are defining the real world as being best practice followers ... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
They should be, but aren't for a ton of different reasons. That's all.
-
@tim_g said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
A lot of places will have SonicWALLs who haven't gotten it through an ITSP. Upper management made the decision to get a SonicWALL through their own research. And that's the way it is, in the real world. Not in Scott's world, but the real world.
Where Scott's world = "good business".
Scott never, ever suggested businesses made good decisions. Scott teaches how to make good decisions. Don't equate Scott's ideas of "what good looks like" with a misconception that I think the normal world looks good. The average business is idiotic and fails in under five years. "Normal" means abject failure in business.
I was pointing out how you are defining the real world as being best practice followers ...
When did I ever say that? I keep saying that it is the opposite of that.
-
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
Okay I see what you mean now.
-
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
LOL - of course - but the expense of splitting out all of the components isn't worth it for me personally, not to mention that I'm not an audiophile in any type of way, so unbelievably great audio quality isn't something I need or care about.
Well I certainly understand that. What is good enough for someone is a totally different discussion. I was only talking about the best thing to do if your putting this in a business or a homeowner that care a lot. As in most things, you just have to determine what your needs are and then go from there. Nothing wrong with that.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
Especially real receivers that have radio and crap in them. That's just silly. Why listens to the radio from a receiver?
But all that electronics in the box, it just makes the audio worst. I even moved away from pre-amps for that reason.
Yeah all of those components will interfere with each other to varying degrees. That makes transmission of data less reliable. It is like putting an access point behind a concrete wall and expect it to transmit outward to your users reliably.
-
@tim_g said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
Okay I see what you mean now.
Basically, I see "IT Advice" as defining "what good looks like" so that we have a bar against which to measure, because we can't look at real world businesses, as they rare do things well.
I like the term "what good looks like" a lot, it's a good way to discuss things.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
hmm... I guess what I'd like to get out of all of these conversations is a way to convince them to do it right.
We all already know that many, dare I say most, do it wrong. The best that we can hope to come away from these types of conversations are ways to convince them to change.
-
@dashrender said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
hmm... I guess what I'd like to get out of all of these conversations is a way to convince them to do it right.
Three stages, each is relatively discrete.
- Determine what is "right". Meaning, what is good for the business. E.g. what should IT do.
- Convince them to want good business to matter.
- Convey good IT to them in a way that makes sense.
Each step is a different thing entirely. Part one is what we are tackling here. What does "good look like"? Part two, you can't talk people into, if you are at a company where they don't care and that's not okay for you, you need to leave. If they don't care and you don't care, fine. Then, once one and two are done, it's about talking in business terms, which is important, but a separate task to tackle.
-
@dashrender said in Thoughts on how I could improve my network security?:
The best that we can hope to come away from these types of conversations are ways to convince them to change.
Not really, not these conversations. These conversations are about determining what is the thing that we should try to convince them of, rather than how to try to convince them.
In a healthy company, we'd never need that part, but we always need this part. This is all step one.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Do you put a lot of stock into NSS Labs reports? In doing research, I'm kinda surprised to see Palo Alto isn't rated really high on the NGFW SVM. They do better on the NGIPS SVM, but Fortinet, Forecepoint, and TrendMicro are rated higher.
-
And totally off topic, but is there an easy way I can see my posting history to find threads I started?
-
-
@beta said in Thoughts on how I could improve my network security?:
NSS Labs
I lack any real opinion either way, I'm afraid. But rating Fortinet highly in anything is.... concerning.