Thoughts on how I could improve my network security?
-
Hey folks, I posted over at SW, thought I might as well post here too.
I've got an unforeseen $15k or so (maybe a little more) from an unexpected grant that we need to spend on IT before the end of the year. I think it would be wise to invest towards our network and security. One of my biggest annoyances with our current environment is I really don't have a lot of visibility into our network traffic. I was thinking of investing in a new firewall appliance that can do layer 7 inspection and would also be a UTM with IDS/IPS built-in.
My current environment has an ASA 5512-x at the perimeter with a separate interface for a DMZ segment that hosts a web server used by our business partners. Behind another interface of the ASA is our Cisco 2901 router which routes our internal VLANs (data, voice, telemetry, etc.). Our switches our Cisco 2960 switches. The ASA is configured to block most incoming traffic except a few select ports and I have outbound ports restricted as well to common services like HTTP/S, NTP, DNS, etc. Of course we employ antivirus and antimalware to each endpoint on the corporate LAN. We also use SRP whitelisting and follow best practices of not allowing users administrator rights.
I believe I can buy Firepower services to add to our ASA, but I wasn't sure how well this work as I know Cisco bought Sourcefire and kinda cobbled them together on their ASA platform. Also the 5512-x is already end of sale so I thought maybe it would be a good time to just upgrade the whole box.
We have about 90 users/computers at HQ and 3 users/computers at 2 branch sites we have connected via VPN. Internet pipe at HQ is 50/50.
I think my second priority would be some kind of SIEM to centralize logging and easily correlate events, but I think I should probably start with looking at some UTM or IDS/IPS first? Any thoughts on what you would look at in a similar situation or what you would recommend?
-
I'm not a fan of UTMs, and neither is Jared. Both of us share the idea that mashing lots of functions into your router is a bad idea. A normal firewall is insanely simple and just access controls on routing, which is fine. But UTM functions do not below in the router. They are intensive, need totally different types of maintenance, and use very different profiles. If you want UTM-like functionality, I would essentially always put it on a VM and send traffic to it from the router, not have the router itself do that work.
-
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
-
Before looking at UTM, I'd be 100% sure that my AV infrastructure was 100% where I wanted it to be with zero issues, good central control and monitoring and so forth. UTM, as we had just discussed in another thread, is LAN based security breaking modern netowrk models and puts you at huge risk of people thinking that it excuses them from other good security practices. It can be the thing that makes people allow insecurity to creep into the network. So be very careful how you approach it.
-
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend
-
@beta said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend
They are the best in the business. If you can afford them, though. Not cheap stuff.
-
I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).
I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?
-
@beta said in Thoughts on how I could improve my network security?:
I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).
That's basically the minimum bar to even say that you have AV
-
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?
Correct. Firewall for firewall, VMs for server functions. Still Palo Alto, of course, just their software products, not their appliances.
-
-
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
-
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
That's always the real question. I get that there is money to spend, use it or lose it, but still evaluating the real risk and concern is important. What's the itch that is attempting to be scratched?
-
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
-
@dashrender said in Thoughts on how I could improve my network security?:
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
I'd agree there. Cisco ASA were pretty craptastic even when they were new and supported. Start with getting a solid foundation of good gear. That won't use up much of the budget, but it will fix key problems instead of ignoring big issues to get fun toys. Worry about the toys after the core issues are resolved.
-
I'd also suggest if you're looking at Intrusion stuff, go with an IPS that can actually block attacks.
Alienvault makes a good SIEM.
-
Use it or lose it money is always tough. I agree on new firewalls. But beyond that, it's really hard to say. What kinds of things are you allowed to spend money on?
-
I would do something along this line:
Get good basic firewalls with nice rules setup.
Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose.
Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal.
-
I agree, good stuff.
-
@dashrender said in Thoughts on how I could improve my network security?:
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
I believe that they are.
