Thoughts on how I could improve my network security?

Dashrender

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

scottalanmiller

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

Dashrender

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Obsolesce

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

Dashrender

@tim_g said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

What's worse, is you often have no clue what the research time is going to cost. If NTG, in this case, just did the same or similar research for someone else, you might get lucky and ride the coat tails of that time, but it's every bit as likely that the vendor will simply charge you the same that they charged the previous customer.

scottalanmiller

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

That’s a decent theory. But in the real world is not even remotely the case. The cost of research or “knowing the market” is trivially small and the oversell from vendors is insanely large.

You can see with the SonicWall, you’d save thousands knowing to not buy that one thing.

scottalanmiller

@dashrender said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

What's worse, is you often have no clue what the research time is going to cost. If NTG, in this case, just did the same or similar research for someone else, you might get lucky and ride the coat tails of that time, but it's every bit as likely that the vendor will simply charge you the same that they charged the previous customer.

In reality, research time approaches zero. Just knowing the market and best practices means you pretty know good answers in seconds.

Obsolesce

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

What's worse, is you often have no clue what the research time is going to cost. If NTG, in this case, just did the same or similar research for someone else, you might get lucky and ride the coat tails of that time, but it's every bit as likely that the vendor will simply charge you the same that they charged the previous customer.

In reality, research time approaches zero. Just knowing the market and best practices means you pretty know good answers in seconds.

He's talking about a place who doesn't already know the answer, which is why they'd go with a SonicWALL for example.

scottalanmiller

@tim_g said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

What's worse, is you often have no clue what the research time is going to cost. If NTG, in this case, just did the same or similar research for someone else, you might get lucky and ride the coat tails of that time, but it's every bit as likely that the vendor will simply charge you the same that they charged the previous customer.

In reality, research time approaches zero. Just knowing the market and best practices means you pretty know good answers in seconds.

He's talking about a place who doesn't already know the answer, which is why they'd go with a SonicWALL for example.

That’s contrived. Creating one problem to justify another. This is why you always use an ITSP if you don’t already have this knowledge in house. This isn’t a real world problem. No business has this lack of resources without deciding to not have it intentionally.

Dashrender

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

That’s a decent theory. But in the real world is not even remotely the case. The cost of research or “knowing the market” is trivially small and the oversell from vendors is insanely large.

You can see with the SonicWall, you’d save thousands knowing to not buy that one thing.

What solution would you recommend that provide the typical UTM and what's the cost? Assume the client has no infrastructure for VMs already in place, yet they need it anyhow.

scottalanmiller

Basically what we just circled around to us that shops lacking knowledge, skills, or don’t care but UTMs because sales people take advantage of that situation. I feel that the “why do people buy UTMs” ended being worse than just me saying “it’s a bad approach”.

Dashrender

@scottalanmiller said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

What's worse, is you often have no clue what the research time is going to cost. If NTG, in this case, just did the same or similar research for someone else, you might get lucky and ride the coat tails of that time, but it's every bit as likely that the vendor will simply charge you the same that they charged the previous customer.

In reality, research time approaches zero. Just knowing the market and best practices means you pretty know good answers in seconds.

He's talking about a place who doesn't already know the answer, which is why they'd go with a SonicWALL for example.

That’s contrived. Creating one problem to justify another. This is why you always use an ITSP if you don’t already have this knowledge in house. This isn’t a real world problem. No business has this lack of resources without deciding to not have it intentionally.

LOL - how many ITSPs sell SonicWalls? Tons of them!

coliver

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

What's worse, is you often have no clue what the research time is going to cost. If NTG, in this case, just did the same or similar research for someone else, you might get lucky and ride the coat tails of that time, but it's every bit as likely that the vendor will simply charge you the same that they charged the previous customer.

In reality, research time approaches zero. Just knowing the market and best practices means you pretty know good answers in seconds.

He's talking about a place who doesn't already know the answer, which is why they'd go with a SonicWALL for example.

That’s contrived. Creating one problem to justify another. This is why you always use an ITSP if you don’t already have this knowledge in house. This isn’t a real world problem. No business has this lack of resources without deciding to not have it intentionally.

LOL - how many ITSPs sell SonicWalls? Tons of them!

Why would you use an ITSP that also sells things? You're talking about a VAR not an ITSP.

scottalanmiller

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@tim_g said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

Sadly this is what it comes down to a lot.

What's worse, is you often have no clue what the research time is going to cost. If NTG, in this case, just did the same or similar research for someone else, you might get lucky and ride the coat tails of that time, but it's every bit as likely that the vendor will simply charge you the same that they charged the previous customer.

In reality, research time approaches zero. Just knowing the market and best practices means you pretty know good answers in seconds.

He's talking about a place who doesn't already know the answer, which is why they'd go with a SonicWALL for example.

That’s contrived. Creating one problem to justify another. This is why you always use an ITSP if you don’t already have this knowledge in house. This isn’t a real world problem. No business has this lack of resources without deciding to not have it intentionally.

LOL - how many ITSPs sell SonicWalls? Tons of them!

None, those are VARs.

Dashrender

I'll correct myself.

You're right - Those are VARs.. SMBs don't know the difference between a VAR and an ITSP, and frankly, most don't want an ITSP, they want someone to handle it from soup to nuts.

coliver

@dashrender said in Thoughts on how I could improve my network security?:

I'll correct myself.

You're right - Those are VARs.. SMBs don't know the difference between a VAR and an ITSP, and frankly, most don't want an ITSP, they want someone to handle it from soup to nuts.

Which an ITSP would do. They just wouldn't sell or get a benefit to suggesting a product.

scottalanmiller

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@dafyre said in Thoughts on how I could improve my network security?:

Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.

I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.

My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.

Sure, but what is the likely reason that internet was so badly affected by you enabling IDS? I'm guessing it was underpowered hardware. Granted this is frequently the case with UTMs.

That's a common problem, for sure. Almost everyone I have spoken with that has used UTMs found them to create big time bottlenecks. Of course, this is cause by improperly sizing the UTM, but it happens all the time. I presume because of the magic black box effect - they trust that the vendor will make it able to handle the assumed workload at wire speed.

This is not an unreasonable expectation. Sadly the vendors have proven that they just don't care about their customers and provide hardware that's not up to the task.

Which is kind of the general nature of a UTM. The starting point here is a device that generally is sold on a basis of misdirection. There are use cases for a UTM, like at a branch office that needs those features but has no server whatsoever. It's not that the product category should not exist at all, but it should be an insanely rare and limited use product. Instead, it is sold as a panacea for those that want security to be a checkbox rather than having to evaluate and properly handle their needs. So that you have vendors making products and marketing products specifically around taking advantage of customers rather than meeting their needs, it follows that other aspects like sizing or configuration might not get much attention to customer needs as well.

I get what you're you're saying.. but the costs to an SMB for the research side alone could out weight the cost of the solution. Assuming you hired NTG to research options for you, that would easily be $500 just in research. Assuming you don't have a server, nor a need for a server, when you look at something like a SonicWall at $2000 for 3 years worth of updates, that's 25% of that cost.

I'm not saying there aren't times when it's needed, but as you point out, it's about business decisions.

That’s a decent theory. But in the real world is not even remotely the case. The cost of research or “knowing the market” is trivially small and the oversell from vendors is insanely large.

You can see with the SonicWall, you’d save thousands knowing to not buy that one thing.

What solution would you recommend that provide the typical UTM and what's the cost? Assume the client has no infrastructure for VMs already in place, yet they need it anyhow.

1. Contrived. You can't know that you need UTM features and not know what is on the market and have all the answers. The knowledge to know one means you must have the other. This scenario cannot arise.
2. The common answer, 95% of the time, is that UTM features don't meet the business requirements and the correct answer is to only have a firewall, not a UTM or UTM-like featuers.
3. What real world client actually needs UTM features, but doesn't need servers or any other infrastructure? Possible, but realistically this is just being silly. UTMs basically exist to protect servers.
4. You can't just answer any question like this, IT is not a checkbox and there isn't any "one size fits all" in anything that we do.

This, to me, shows the kind of thinking that tends to make UTM decisions happen.....

• One mistake build on another.
• Non-business requirements driving decisions (emotional buying)
• Wrong tools for the job based off of marketing trends
• Contrived scenarios
• Fundamentally bad beliefs that we don't need to make IT decisions but that you just check a box on a form that you "bought" a product of type X
• That security is something you buy rather than something that you do

coliver

@dashrender said in Thoughts on how I could improve my network security?:

I'll correct myself.

You're right - Those are VARs.. SMBs don't know the difference between a VAR and an ITSP, and frankly, most don't want an ITSP, they want someone to handle it from soup to nuts.

Because SMB management aren't good at adulting therefore that's an excuse for them to be bad at adulting?

scottalanmiller

@dashrender said in Thoughts on how I could improve my network security?:

I'll correct myself.

You're right - Those are VARs.. SMBs don't know the difference between a VAR and an ITSP

Every functional adult knows the difference. Please don't mock business people to this degree. It's so insulting. Of course they know. That they don't care is another matter.

scottalanmiller

@dashrender said in Thoughts on how I could improve my network security?:

...and frankly, most don't want an ITSP, they want someone to handle it from soup to nuts.

This is the actual issue. The want to outsource their own business decision making. Which is fine, but is bad practice and as I say in every one of these discussions, you can never use one mistake in bad decision making to justify intentionally making bad decisions.