Thoughts on how I could improve my network security?
- 
 @beta said in Thoughts on how I could improve my network security?: @jaredbusch said in Thoughts on how I could improve my network security?: I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle. I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain. What would you have set it to if you weren't limited by 2008? 2008 R2 not 2008. There is a difference. Related note: I will migrate their domain level to 2012 R2 in late 2018 or 2019 when they move Exchange off premise and can get rid of the rest of their 2008 R2 instances and thus their oldest servers will be 2012 R2 at that time. 
- 
 @jaredbusch said in Thoughts on how I could improve my network security?: I would do something along this line: Get good basic firewalls with nice rules setup. Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose. Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal. Have you used Artic Wolf or AlienVault? How'd you like them? 
- 
 AlienVault has a lot of fans. Seems to be the popular choice. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home. What's wrong with Sonicwall? We have that where I work.. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home. What's wrong with Sonicwall? We have that where I work.. High cost, low quality, bad vendor. Reverse the question... what's good about them? - They are a UTM maker, something I think is generally fundamentally wrong as an approach.
- They claim to be for security but have hidden configuration that isn't documented, a big no no in security and IT.
- They intentationally set defaults to break things for no reason like SIP-ALG (SW is the #1 cause for VoIP issues.)
- They are expensive, many times the cost of equipment I consider to be much better.
- They essentially exist only, much like Meraki, to make sales people money. They are like Mary Kay or AmWay - no one buys them intentionally, they buy them from sales people to make them go away. They aren't good enough for people to go looking for them. But when the girl scouts come to your door, you feel bad and buy something small to make them leave, SonicWall is the cheapest thing you can buy from the vendors that sell them, it's a lot like unwanted Girl Scout cookies - you know they are expensive and unhealthy, but you feel you have to buy something.
 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home. What's wrong with Sonicwall? We have that where I work.. High cost, low quality, bad vendor. Reverse the question... what's good about them? - They are a UTM maker, something I think is generally fundamentally wrong as an approach.
- They claim to be for security but have hidden configuration that isn't documented, a big no no in security and IT.
- They intentationally set defaults to break things for no reason like SIP-ALG (SW is the #1 cause for VoIP issues.)
- They are expensive, many times the cost of equipment I consider to be much better.
- They essentially exist only, much like Meraki, to make sales people money. They are like Mary Kay or AmWay - no one buys them intentionally, they buy them from sales people to make them go away. They aren't good enough for people to go looking for them. But when the girl scouts come to your door, you feel bad and buy something small to make them leave, SonicWall is the cheapest thing you can buy from the vendors that sell them, it's a lot like unwanted Girl Scout cookies - you know they are expensive and unhealthy, but you feel you have to buy something.
 - So that's really just your opinion then..
- Can you elaborate on the "hidden configuration"?
- I have our VoIP running through a zone on our NSA 3600 with no issues
- Seems like everything is "expensive" and what you consider better is a matter of opinion
- I understand getting ripped off by salespeople who push products that the buyer may not truly need, but we've made use of our SonicWall NSA 3600 quite a bit. Its been rock solid. And it's not like it's just a dinky system that's been cobbled together by the manufacturer just to sell as an extra piece of expensive crap. There's a lot of depth to it and it has a lot of good tools and features.
 I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc. I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: They are like Mary Kay LOL I liked that one 
- 
 @dave247 said in Thoughts on how I could improve my network security?: I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc. 
 I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too. I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall. If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up. 
- 
 In my case it's cheaper to keep it around than to buy and implement a whole new preferred solution. 
- 
 @tim_g said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc. 
 I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too. I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall. If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up. What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something? 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @tim_g said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc. 
 I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too. I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall. If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up. What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something? Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them. Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach. You wouldn't treat your database or even your website this way, why your security system? 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @tim_g said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc. 
 I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too. I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall. If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up. What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something? Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them. Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach. You wouldn't treat your database or even your website this way, why your security system? By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM? I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that? Also, for what it's worth, the SonicWall's GMS Analyzer is on a separate virtual machine. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM? I feel like you've missed everything I've ever said. First of all, UTM never means Firewall. Those are two different things. Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s. Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever. Where did you get the impression that I ever said anything of the sort? 
- 
 @dave247 said in Thoughts on how I could improve my network security?: I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that? Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM? Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network? The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it? 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM? I feel like you've missed everything I've ever said. First of all, UTM never means Firewall. Those are two different things. Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s. Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever. Where did you get the impression that I ever said anything of the sort? I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful. I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that? Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM? Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network? The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it? This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM? I feel like you've missed everything I've ever said. First of all, UTM never means Firewall. Those are two different things. Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s. Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever. Where did you get the impression that I ever said anything of the sort? I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful. I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing. Not quite. A router with ACLs is a firewall. A firewall with routing is a router. In theory, but only in theory, you can make a router without ACLs, but no one has done so in decades. In theory you can make a non-routing firewall (it's called a bridging firewall) but in reality, again, none has been made that doesn't have the router function. Botton line is that router and firewall are literally the same thing for all possible use cases. They two things are just functions of routers. All routers are firewalls, all firewalls are routers. The two cannot, for all intents and purposes, be separated. This is very important, because firewall means router, but UTM doesn't mean firewall. So understanding this is key to understanding what I said. If you associate the wrong terms together, it will sound like I said what it seems like you reacted to. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system. Loads and loads of people swear by Microsoft's SBS server, too. It "does a good job" until you realize that it generally costs too much and introduces risk. Remember, that your current UTM "does a good job for you" cannot be used as an indicator of if it is a good idea. That's not how risk assessment ever can work. That's the "look mom, no seatbelt" problem. The problem with security and risk is that things always seem great until something goes wrong. And often when things go wrong, you don't actually know (the nature of security - a good breach you will never know about.) It's just like Russian roulette, five out of six players thing it is a perfectly safe game. Can MS SBS server or a UTM do the job? Yes. Are they a good design or able to do the job as well as a better system design or do they follow industry best practices? No, of course not. None of this is vague or my proping my "opinion", this has been an industry standard practice for decades taught by everyone in the administration space. The idea of separating services for reliability and control has been a core tenant of basic administration education since low before I was in IT, which is a very long time. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM? I feel like you've missed everything I've ever said. First of all, UTM never means Firewall. Those are two different things. Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s. Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever. Where did you get the impression that I ever said anything of the sort? I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful. If you didn't, they why did you respond to something so totally backwards from what I had said? What is the above responding to? 
- 
 But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places. Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason. So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them. 





