How to Layer Your Security Needs



  • From reading here there are many opinions on how to do certain activities in IT. This topic will be about security and the different ways you protect your network. Physical security should also be a part of that so if anyone has recommendations then please chime in. Lets learn from each other. Everyone has had good points so there is certainly something to be learned from having a discussion about it. feel free to respond to all or certain points here.

    We have the obligatory firewall and I put AV on every device that comes into the shop from Dell/HP. I setup the machines so I always have a local admin account I can always use if I need to. That is in my image from SmartDeploy and it evolves as I need it to. I record all machine info into OneNote that is organized by building along with the user and mac address if I know that info at the start. I constantly patch and update applications, Windows OS, and AV from this master list. I am a fanatic about updating. I use a combination of PDQ, Psexec, and Chocolatey to this for me. We have all server rooms and network closets locked. We also use security cameras for all of the buildings. That is a little of my environment.

    Everyone uses firewalls but are there certain features you can't live without?
    Any firewall features that used to be important but are no longer?
    Is it helpful to learn how to host our own DNS( thinking Bind) instead of using something like OpenDns?
    What kind of physical security do you employ?
    Are there certain types of layering that do not work well together?
    Any brands of firewalls or AV to avoid?
    Lastly, how do you layer your security if its different than usual?


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    Any firewall features that used to be important but are no longer?

    Firewalls don't really have features, per se. I mean stateful detection, but that is about it, and that's just part of NAT routing. You can't skip that and have NAT still work. Firewalls have always been the same since day one - routing with permissions. Basically there was almost never a time that routers didn't do firewall functions.

    So no, I don't see anything as having changed.


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    Is it helpful to learn how to host our own DNS( thinking Bind) instead of using something like OpenDns?

    That's not usually an either/or scenario. If you are a tiny shop, having no DNS is fine and normal. But once you hit any size, you typically want something for DNS.

    OpenDNS or Strongarm.io are a different kind of thing, they are DNS-based security mechanisms for your external access. BIND is for your internal DNS.


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    Any brands of firewalls or AV to avoid?

    Loads and loads. It's more the other way around, which make sense to consider.

    For firewalls, first you can't lump firewalls and UTM together. Different animals from different vendors.


  • Service Provider

    Firewalls to avoid....

    My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

    Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.


  • Service Provider

    UTMs to avoid...

    My feeling here is that the only real UTM worth considering is Palo Alto. Deploying anything less just doesn't make sense. UTMs are full of problems and their value comes from being insanely comprehensive, which is what PA does. Other UTM products that are cheaper tend to be from unreliable vendors and of questionable value.


  • Service Provider

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    Lastly, how do you layer your security if its different than usual?

    I'm totally focused on LANless design. Nothing on my network should be protected by something at the network level. Not that network protection should not exist, but it should never matter. Most attacks come from the LAN, not the WAN, and if your protection sits at the WAN barrier, most attacks will have already bypassed it.

    Every device that we have, we treat as if it is going to sit directly on the Internet. Nothing is exposed, nothing trusts the LAN. There are exceptions for non-LAN networks like a pure play SAN or cluster interconnects.



  • @scottalanmiller said in How to Layer Your Security Needs:

    UTMs to avoid...

    My feeling here is that the only real UTM worth considering is Palo Alto. Deploying anything less just doesn't make sense. UTMs are full of problems and their value comes from being insanely comprehensive, which is what PA does. Other UTM products that are cheaper tend to be from unreliable vendors and of questionable value.

    Speaking from experience here, I will agree with this statement. I've run some UTM setups that came Prepckaged (Fortinet, Smoothwall, Untangle), and I have built some around Suricata (or Snort), Squid, DansGuardian, ClamAV and Shorewall.

    These things are not easy to build right and do well. They all did Firewalling and routing right, but something screwy with other things like Traffic shaping or application filtering. Even tweaking them for your environment can be more of a pain than it's worth.



  • @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    If you need centralized reporting on Windows Defender, you can purchase Intune.


  • Service Provider

    @dashrender said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    If you need centralized reporting on Windows Defender, you can purchase Intune.

    I assume that you can do it with some scripting, too. Not seen that done, but seems like it would likely be pretty doable.



  • @scottalanmiller said in How to Layer Your Security Needs:

    @dashrender said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    If you need centralized reporting on Windows Defender, you can purchase Intune.

    I assume that you can do it with some scripting, too. Not seen that done, but seems like it would likely be pretty doable.

    Likely you could pull this type of data using something like Salt, then make your own reports.


  • Service Provider

    @dashrender said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    @dashrender said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    If you need centralized reporting on Windows Defender, you can purchase Intune.

    I assume that you can do it with some scripting, too. Not seen that done, but seems like it would likely be pretty doable.

    Likely you could pull this type of data using something like Salt, then make your own reports.

    Right, seems like a good way to go, assuming that there are necessary hooks for those sorts of things.



  • @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    Is it helpful to learn how to host our own DNS( thinking Bind) instead of using something like OpenDns?

    That's not usually an either/or scenario. If you are a tiny shop, having no DNS is fine and normal. But once you hit any size, you typically want something for DNS.

    OpenDNS or Strongarm.io are a different kind of thing, they are DNS-based security mechanisms for your external access. BIND is for your internal DNS.

    Oh got it, I see I was using those terms wrong.



  • @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    Any brands of firewalls or AV to avoid?

    Loads and loads. It's more the other way around, which make sense to consider.

    For firewalls, first you can't lump firewalls and UTM together. Different animals from different vendors.

    I thought UTM's were firewalls with a lot more features. Kind of like, a do everything security box?


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    Any brands of firewalls or AV to avoid?

    Loads and loads. It's more the other way around, which make sense to consider.

    For firewalls, first you can't lump firewalls and UTM together. Different animals from different vendors.

    I thought UTM's were firewalls with a lot more features. Kind of like, a do everything security box?

    They are, sort of. UTM means "firewall plus loads of applications." It's a silly thing. The firewall is still the firewall, the UTM functionality is apps running on top of the firewall's processor.


  • Service Provider

    UTM itself is actually the antithesis of security in layers, as the entire point of a UTM is collapsing layers of security down!



  • @scottalanmiller said in How to Layer Your Security Needs:

    UTMs to avoid...

    My feeling here is that the only real UTM worth considering is Palo Alto. Deploying anything less just doesn't make sense. UTMs are full of problems and their value comes from being insanely comprehensive, which is what PA does. Other UTM products that are cheaper tend to be from unreliable vendors and of questionable value.

    I knew Palo Alto made good stuff but did not know they did not have hardly any competition. Good info


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    UTMs to avoid...

    My feeling here is that the only real UTM worth considering is Palo Alto. Deploying anything less just doesn't make sense. UTMs are full of problems and their value comes from being insanely comprehensive, which is what PA does. Other UTM products that are cheaper tend to be from unreliable vendors and of questionable value.

    I knew Palo Alto made good stuff but did not know they did not have hardly any competition. Good info

    There is a little, but very little. That will change with time, but as the entire concept of a UTM is, I feel, fundamentally flawed, I doubt that many serious competitors will step into the space.


  • Service Provider

    That said, PA does make the best non-UTM network protection, too. That's where I foresee them getting competition eventually.



  • @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    that makes a lot of sense. I read in lots of places when people ask for AV recommendations it is always somethign different and Defender is barely mentioned. Why is that then?



  • @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    Lastly, how do you layer your security if its different than usual?

    I'm totally focused on LANless design. Nothing on my network should be protected by something at the network level. Not that network protection should not exist, but it should never matter. Most attacks come from the LAN, not the WAN, and if your protection sits at the WAN barrier, most attacks will have already bypassed it.

    Every device that we have, we treat as if it is going to sit directly on the Internet. Nothing is exposed, nothing trusts the LAN. There are exceptions for non-LAN networks like a pure play SAN or cluster interconnects.

    So by lanless you mean it is protected as much as possible at the workstation level and not relying on a UTM to do all the work for it instead?



  • @dafyre said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    UTMs to avoid...

    My feeling here is that the only real UTM worth considering is Palo Alto. Deploying anything less just doesn't make sense. UTMs are full of problems and their value comes from being insanely comprehensive, which is what PA does. Other UTM products that are cheaper tend to be from unreliable vendors and of questionable value.

    Speaking from experience here, I will agree with this statement. I've run some UTM setups that came Prepckaged (Fortinet, Smoothwall, Untangle), and I have built some around Suricata (or Snort), Squid, DansGuardian, ClamAV and Shorewall.

    These things are not easy to build right and do well. They all did Firewalling and routing right, but something screwy with other things like Traffic shaping or application filtering. Even tweaking them for your environment can be more of a pain than it's worth.

    Yeah I don't know about all of those but Snort and Untangle can be difficult if you don;t have a lot of experience with using them. Not that they can't be figured out but its as you said, a pain...


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    that makes a lot of sense. I read in lots of places when people ask for AV recommendations it is always somethign different and Defender is barely mentioned. Why is that then?

    Because no one makes money pushing Defender.



  • @dashrender said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    If you need centralized reporting on Windows Defender, you can purchase Intune.

    I have not used it yet but I heard it was pretty cool. Thanks I will look into it more


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    Lastly, how do you layer your security if its different than usual?

    I'm totally focused on LANless design. Nothing on my network should be protected by something at the network level. Not that network protection should not exist, but it should never matter. Most attacks come from the LAN, not the WAN, and if your protection sits at the WAN barrier, most attacks will have already bypassed it.

    Every device that we have, we treat as if it is going to sit directly on the Internet. Nothing is exposed, nothing trusts the LAN. There are exceptions for non-LAN networks like a pure play SAN or cluster interconnects.

    So by lanless you mean it is protected as much as possible at the workstation level and not relying on a UTM to do all the work for it instead?

    Right, act like everything is exposed (because it is) and never assume that the LAN is a safe place.


  • Service Provider

    @jmoore said in How to Layer Your Security Needs:

    @dashrender said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    If you need centralized reporting on Windows Defender, you can purchase Intune.

    I have not used it yet but I heard it was pretty cool. Thanks I will look into it more

    InTune isn't cheap or nice. We tried it for a while, but it's not very impressive.



  • @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    that makes a lot of sense. I read in lots of places when people ask for AV recommendations it is always somethign different and Defender is barely mentioned. Why is that then?

    Because no one makes money pushing Defender.

    Plus people are MS haters.



  • @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    Any brands of firewalls or AV to avoid?

    Loads and loads. It's more the other way around, which make sense to consider.

    For firewalls, first you can't lump firewalls and UTM together. Different animals from different vendors.

    I thought UTM's were firewalls with a lot more features. Kind of like, a do everything security box?

    They are, sort of. UTM means "firewall plus loads of applications." It's a silly thing. The firewall is still the firewall, the UTM functionality is apps running on top of the firewall's processor.

    ok I see. I have never liked designs like that. I do prefer the independent designs as things just seem to work better and easier by configuring each functionality separately as you need it.



  • @scottalanmiller said in How to Layer Your Security Needs:

    @jmoore said in How to Layer Your Security Needs:

    @dashrender said in How to Layer Your Security Needs:

    @scottalanmiller said in How to Layer Your Security Needs:

    AV....

    There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.

    Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.

    If you need centralized reporting on Windows Defender, you can purchase Intune.

    I have not used it yet but I heard it was pretty cool. Thanks I will look into it more

    InTune isn't cheap or nice. We tried it for a while, but it's not very impressive.

    No, it's not cheap, about the same cost as most other AV packages... but it does include MDM type functionality though.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.