Thoughts on how I could improve my network security?
-
AlienVault's UTM works decently if you are on a budget, but requires ALOT of configuration. I spent months working on AlienVault's UTM with my last employer to get it to be reliable.
-
@beta said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.
An ER-L can give you basics in this area. I don't think IDS/IPS gives you this.
Sorry, I didn't mean to imply that's what the IDS/IPS would be for, I was referring to a UTM like appliance like the Palo Alto.
But you don't need UTM for that. A normal router does that. It's not even a firewall function. At least for who is using bandwidth.
Now as for websites, you need a proxy for that. But no need for a UTM.
-
I can understand where you're coming from @beta. I work for a government contractor, and one of our compliance points requires that we use an IDS/IDP on our edge. It isn't ideal, but it is a reality when you're working for people that operate on checklists rather than what is actually secure.
-
@kelly said in Thoughts on how I could improve my network security?:
I can understand where you're coming from @beta. I work for a government contractor, and one of our compliance points requires that we use an IDS/IDP on our edge. It isn't ideal, but it is a reality when you're working for people that operate on checklists rather than what is actually secure.
This is definitely true.
-
@kelly said in Thoughts on how I could improve my network security?:
I can understand where you're coming from @beta. I work for a government contractor, and one of our compliance points requires that we use an IDS/IDP on our edge. It isn't ideal, but it is a reality when you're working for people that operate on checklists rather than what is actually secure.
On the edge is fine, that doesn't imply on a UTM.
-
I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?
-
@beta said in Thoughts on how I could improve my network security?:
I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?
The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.
-
@beta said in Thoughts on how I could improve my network security?:
I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?
If it were up to my docs - it would be zero length, zero complexity, and zero change frequency. lol - OK I'm kidding I think they would seriously want 8 or less with no other requirements.
Personally I think we should be at 12+ characters with no other restrictions.
-
@irj said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?
The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.
What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.
-
@kelly said in Thoughts on how I could improve my network security?:
@irj said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?
The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.
What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.
What Framework do you follow?
-
@irj said in Thoughts on how I could improve my network security?:
@kelly said in Thoughts on how I could improve my network security?:
@irj said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?
The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.
What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.
What Framework do you follow?
For passwords we have to follow various sets of guidance that are built on the password concepts of last decade, i.e. complexity is the greatest guarantor of security.
-
I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.
I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.
-
@jaredbusch said in Thoughts on how I could improve my network security?:
I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.
I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.
What would you have set it to if you weren't limited by 2008?
-
@beta said in Thoughts on how I could improve my network security?:
@jaredbusch said in Thoughts on how I could improve my network security?:
I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.
I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.
What would you have set it to if you weren't limited by 2008?
I like 20.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
@jaredbusch said in Thoughts on how I could improve my network security?:
I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.
I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.
What would you have set it to if you weren't limited by 2008?
I like 20.
I was going to set it to 16.
-
@kelly said in Thoughts on how I could improve my network security?:
@irj said in Thoughts on how I could improve my network security?:
@kelly said in Thoughts on how I could improve my network security?:
@irj said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?
The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.
What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.
What Framework do you follow?
For passwords we have to follow various sets of guidance that are built on the password concepts of last decade, i.e. complexity is the greatest guarantor of security.
Those were known to be wrong in the last decade. That's not old knowledge, it's just universally insecure.
-
@beta said in Thoughts on how I could improve my network security?:
@jaredbusch said in Thoughts on how I could improve my network security?:
I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.
I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.
What would you have set it to if you weren't limited by 2008?
2008 R2 not 2008. There is a difference.
Related note: I will migrate their domain level to 2012 R2 in late 2018 or 2019 when they move Exchange off premise and can get rid of the rest of their 2008 R2 instances and thus their oldest servers will be 2012 R2 at that time.
-
@jaredbusch said in Thoughts on how I could improve my network security?:
I would do something along this line:
Get good basic firewalls with nice rules setup.
Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose.
Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal.
Have you used Artic Wolf or AlienVault? How'd you like them?
-
AlienVault has a lot of fans. Seems to be the popular choice.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
What's wrong with Sonicwall? We have that where I work..