USG Pro 4 and our Company Security



  • @jevans He doesn't know what he's talking about. I'd in turn ask him "Why do you think the network firewall should be responsible for all these other security pieces that can be done cheaper and much more efficiently elsewhere?" You already know the answer is because he wants to sell you something, which does not benefit you in any way.



  • @RojoLoco said in USG Pro 4 and our Company Security:

    If he is employed by your company, he might just be misinformed.

    My understanding is that this is a sales man (rep) from the datacenter (probably colo) provider. This is likely one of those little VARs that runs a little datacenter and masquerades as an MSP to try to make their sales seem legitimate. Just a guess, but that's the pattern I see this occurring in.



  • Another really important thing to point out is that a Unifi USG is a UTM. We never talk about that because that would be a shitty way to sell firewalls. UTM is nothing more than a firewall with some extra features (that we generally recommend against because they are either stupid and wasteful, or if needed shouldn't be on the firewall as that is horrible security practice) and the USG has some UTM features that you can turn on (but most of us don't.)

    So not only is he being dishonest about you needing a UTM, he's also lying about you not already having one!



  • @jevans said in USG Pro 4 and our Company Security:

    For a bit more info, we would be sending out all internet traffic locally from the branch and all other traffic would go through the VPN Tunnel to the DC.

    IF you needed a UTM for some reason (trust me, you don't), then it would be only at that branch with the Internet connection. UTMs are a "buzzword" product that in theory is meant to protect at that step to the Internet. If you put UTMs in your connection to the datacenter, you'd have to disable the UTM features for things to work properly anyway!



  • @scottalanmiller said in USG Pro 4 and our Company Security:

    @RojoLoco said in USG Pro 4 and our Company Security:

    If he is employed by your company, he might just be misinformed.

    My understanding is that this is a sales man (rep) from the datacenter (probably colo) provider. This is likely one of those little VARs that runs a little datacenter and masquerades as an MSP to try to make their sales seem legitimate. Just a guess, but that's the pattern I see this occurring in.

    What the actual bloody fuck???

    @jevans sever your ties with this alleged "datacenter" immediately!!!! Never colocate systems to a place that sells anything but rack spaces for your gear.



  • @RojoLoco said in USG Pro 4 and our Company Security:

    @scottalanmiller said in USG Pro 4 and our Company Security:

    @RojoLoco said in USG Pro 4 and our Company Security:

    If he is employed by your company, he might just be misinformed.

    My understanding is that this is a sales man (rep) from the datacenter (probably colo) provider. This is likely one of those little VARs that runs a little datacenter and masquerades as an MSP to try to make their sales seem legitimate. Just a guess, but that's the pattern I see this occurring in.

    What the actual bloody fuck???

    @jevans sever your ties with this alleged "datacenter" immediately!!!! Never colocate systems to a place that sells anything but rack spaces for your gear.

    ^^^ This. I'd be calling the head of the company here and demanding an explanation for such unethical behaviour and a pretty clear defense of how you are supposed to be able to trust your equipment to a company that clearly has a security concern! This behaviour is really no different to any other that would steal your data and sell it. If they are willing to lie and cheat and bully to try to take your money, why wouldn't they harvest your data straight off of the servers and sell it? Or sell access to your servers to anyone who paid them? There is no ethical lines between the two actions.

    I understand that maybe the sales guy (that they call a rep) might have zero access to the datacenter itself. Maybe. But the owner who employs him and pay him to run scams does, and they need to find a way to establish trust back up the chain.

    Really, best to just walk away. There are loads of honest, ethical datacenters and MSPs out there that would love to actually help you. There is never a need of any sort to continue to do business with the "bad guys".



  • He said that I should get Juniper or Fortigate. Then he told me that they could put together a package for Fortigate because that is what the DC uses. So I do feel like he is promoting their equipment and management services. Thankfully, we plan on dropping the DC in a few years because we won't need the services they provide by then. So I really started to feel the pressure when I was told the USGs would not work. With that said, this Rep did mention two things I was not familiar with, I"m still learning. He said the IPS would block one set of attacks but that it couldn't block others and those "others" are a big threat right now. When I remember I'll post.



  • @scottalanmiller said in USG Pro 4 and our Company Security:

    I'd be calling the head of the company

    You know after hearing all of you talk about this really sheds some light on what has been going on with the DC. When we first signed with them we were taken care of. We liked the people we worked with. Then over the last year, almost all of the people we worked with at the start left or got fired. Our current rep said that they didn't like the way the company was going. Now I know why because it was going the wrong way.



  • @jevans don't give those scumbags another penny. "...in a few years" is waaaaayyyyy too late.



  • @jevans Juniper makes good stuff, Fortigate less so. We use some Fortigate here and have had several strange issues.

    If it sounds like they are promoting a package then buyer beware as the saying goes. If they are selling something then any advice they give is suspect.

    As others have said, hardly anyone ever needs a UTM. They are right.



  • @jmoore said in USG Pro 4 and our Company Security:

    If they are selling something then any ALL advice they give is suspect.



  • @jevans said in USG Pro 4 and our Company Security:

    He said that I should get Juniper or Fortigate. Then he told me that they could put together a package for Fortigate because that is what the DC uses.

    Yup, salesman being a salesman. Just saying anything to try to sell what he sells.



  • @jevans what is the name of this terrible company? Giving them a "name and shame" here could help others get away from their treachery.



  • @jevans said in USG Pro 4 and our Company Security:

    He said the IPS would block one set of attacks but that it couldn't block others and those "others" are a big threat right now. When I remember I'll post.

    IPS is okay, but probably doesn't have a place here. IPS is the "most valuable" thing included in a UTM. Thankfully, Unifi includes this. So you already have it should you want to turn it on.



  • @jevans said in USG Pro 4 and our Company Security:

    Our current rep said that they didn't like the way the company was going. Now I know why because it was going the wrong way.

    "Toxic environments"... once people start fleeing, that's almost always what it is. And sadly, those kinds of problems "always" come from the top down, if they didn't, they'd be fixed pretty quickly. So unfortunately, it becomes an "unfixable" situation where the owner desires X of the company and only people who are okay with X behaviour are willing to work there.



  • @jevans said in USG Pro 4 and our Company Security:

    Thankfully, we plan on dropping the DC in a few years because we won't need the services they provide by then.

    If you don't mind us digging in... what "services" do they provide that couldn't be taken over by someone else, more or less, overnight?

    I've worked in the consulting space a long time and pretty universally when things sound like this we generally find that the cost of services is absurdly high and the datacenters / VARs convince the customers that what they do is unique and expensive. But looking elsewhere, if you know where to look, it's often cheap and easy.

    This got one of our customers (who is on here, too) that they thought that their local datacenter was giving them a deal and that they "didn't need much as they were small so they were just trying to be cheap"... but were paying over $1,100 per month for terrible service for something that was only $150/mo from an enterprise player! So in the hopes of being cheap, they were actually burning money like crazy and every month that they waited to fix it cost a lot of money for no reason.



  • @RojoLoco said in USG Pro 4 and our Company Security:

    @jmoore said in USG Pro 4 and our Company Security:

    If they are selling something then any ALL advice they give is suspect.

    ^^^ This can't be overstated. There are two layers here...

    1. They are sales people (VAR), not advisers. They are vendor advocates, not your advocates. So their job isn't to represent you, but to screw you. That is their function. We call this the "VAR taint" and while it can be limited, it can't go away as long as they are a VAR (this is why shops like @ntg and @Bundy-Associates ) sell absolutely nothing, because once you cross that line, you can't give untainted advice and consulting.

    2. They crossed a VAR ethics line. You can get honest VARs that are still sales people but act ethically and honestly. I work with VARs every day, but I'm careful to make sure that they are ethical and behave properly. This guy crossed the line and was just flat out lying and bullying. So not only are they tainted by the VAR aspect, but they are the "bad guys", too.

    So point 1 is "whose side are they on", and the answer is "not yours." Point 2 is "are they good guys or bad guys", and the answer is bad. So this is the worst type of relationships... bad guys who aren't on your side.

    https://smbitjournal.com/2016/06/buyers-and-sellers-agents-in-it/



  • If you can't get out of your contract and get away from these guys, and you don't fear that they will extort you (but why wouldn't they?), then your best bet is to sever contact and make sure that they are never allowed to speak to you except through a support ticket in the case of an outage.

    The problem with sales people like this is that they are trained and paid to mislead you. It is easy to "know" that they are dishonest and untrustworthy, but once you allow them to talk to you, they are still experts at twisting your thoughts and playing on your emotions to make you question your beliefs. It's unbelievable how effective this is, and organizations know this. A good sales person could steal your first born and burn down your house, but still convince you to listen to them and talk you into doing the craziest things. Humans are irrational and emotional, no matter how much we feel like we are not. And one of the best defense mechanisms that we have against being tricked, is it identify situations where someone will try to trick us and avoid them. Avoiding them is the only way to be sure it doesn't happen. Going in with a mindset of "they are going to trick me" doesn't work. If it did, television ads would be useless. That any advertising works at all is proof that humans, even being told up front that someone is going to try to talk them into something, can't emotionally resist giving in.



  • @RojoLoco said in USG Pro 4 and our Company Security:

    what is the name of this terrible company?

    Atmosera. Use to be EasyStreet. They merged with Infinity...something and became Atmosera.



  • @jevans said in USG Pro 4 and our Company Security:

    Use to be EasyStreet.

    What a terrible business name, no wonder they updated it!





  • Are they not just using Azure?



  • @scottalanmiller said in USG Pro 4 and our Company Security:

    If you don't mind us digging in... what "services" do they provide that couldn't be taken over by someone else, more or less, overnight?

    They house the server that holds our Financial Software. We already have plans to move to a new Company for that, within the year. We are also working to get a consultant to help us migrate our files to Sharepoint, AD fully to Azure, and find a solution for our branch employees (Thin clients, Desktop, Remote Desktop in the Cloud). We still have some work to do to get a good plan. We have already started, just because the price for the DC is way too much for us. Now we have another reason.



  • So a general rule I will throw out there... colocation is not something you want to be local. Same as cloud. "Where" it is makes no difference. It's not that you avoid people who are local, you just never consider that in your selection process. Local has no benefits. But choosing local because they are local flags you as not valuing good, honest service and changes how the vendor views you.

    The only thing you care about with a colocation provider that can be affected by locality is latency, and that you just measure. Good colocation is all in major cities that specialize in DC services... NY/NJ, Chicago, DFW, San Antonio, Los Angeles, NOVA, that's about it. Anything outside of those cities and you are probably getting a little local shop (unless you aren't in the USA of course.)

    From where you are, LA is your logical choice. San Fran has a few, but is actually surprisingly bad for infrastructure so rarely do you get data center services in the Bay area.

    https://smbitjournal.com/2015/08/avoiding-local-service-providers/



  • @gtech said in USG Pro 4 and our Company Security:

    Are they not just using Azure?

    They have a colocation business that they don't advertise as heavily.



  • @jevans said in USG Pro 4 and our Company Security:

    They house the server that holds our Financial Software. We already have plans to move to a new Company for that, within the year. We are also working to get a consultant to help us migrate our files to Sharepoint, AD fully to Azure, and find a solution for our branch employees (Thin clients, Desktop, Remote Desktop in the Cloud). We still have some work to do to get a good plan. We have already started, just because the price for the DC is way too much for us. Now we have another reason.

    So that's a very high level view, so take my statement with a grain of proverbial salt, but this sounds like the kind of stuff that could be moved in a couple of weeks and save a fortune right away. Not that you WANT to move that aggressively, but if the cost is too high, getting moved off of it faster is better. All of those things are super standard and just a matter of a normal migration.



  • This is from the Rep:

    "UTM (Unified Threat Management) This is where you have multiple layers of security at the gateway to protect against threats. These typically come with a subscription for regular update usually daily or even multiple times a day for their threat updates. Also DPI SSL inspection. "

    This is why he was saying the USG will not be a viable option for us.



  • @jevans said in USG Pro 4 and our Company Security:

    We already have plans to move to a new Company for that, within the year. We are also working to get a consultant to help us migrate our files to Sharepoint, AD fully to Azure, and find a solution for our branch employees (Thin clients, Desktop, Remote Desktop in the Cloud).

    So in a situation like this, where you've now identified that a bad actor has been sewing seeds of misinformation, it's a good time to go back and look at other decisions and see if their influence can be seen there as well. And I'm guessing that the move to Azure just happened to be recommended by the same guy trying to sell UTMs. The vendor in question is an Azure reseller and by and large, Azure is the one big vendor you'd never want on a short list - high cost, low quality - for cloud. Azure depends on aggressive salespeople and big marketing to get shops that don't evaluate the competition to overpay for low quality services.

    MS services for O365 for hosted Sharepoint, email, and such is great. Azure doesn't do AD (don't confuse Azure AD with AD on Azure, two totally different things conceptually.) You can do AD on Azure, but it's not Azure providing it.

    I'd immediately step back and question why Azure was even mentioned, let alone selected. Maybe there is some technical info that we don't have. But what technical info we do have, and the info about who has been trying to sell things there, tells us that using Azure is a very bad idea.

    Cloud is great, and may or may not make sense for you. But based off of other information that we have, my guess is that a dishonest datacenter who is trying to sell products and Azure services has been screwing you on datacenter services and using that bad treatment to justify talking you into cloud when it wouldn't make sense. The kinds of workloads that you are describing and absolutely terrible for cloud, and ideal for colocation. If you saw quality colo, I bet you'd see that cloud has no way to compete for this type of setup.



  • @jevans said in USG Pro 4 and our Company Security:

    This is from the Rep:

    "UTM (Unified Threat Management) This is where you have multiple layers of security at the gateway to protect against threats. These typically come with a subscription for regular update usually daily or even multiple times a day for their threat updates. Also DPI SSL inspection. "

    This is why he was saying the USG will not be a viable option for us.

    Seriously, never speak to him again. Literally, never. The only words you should speak to him are "If you ever call again, we will take legal action."

    The UTM can't do what he's describing here, where he's trying to get you to put it. He's continuing the scam.

    Anyone who says "security in layers" is pulling a scam. All security is in layers, no legit person talks about it that way, though. That's a sales tactic terminology. It's used to make you feel something obvious is special.

    UTMs are the worst way to deliver those kinds of services, if they are needed. DPI SSL inspection is nice and all, but comes at big cost and big risk and has essentially zero value. You already have DPI SSL inspection from your AV products. It's an essentially pointless service, that would be disabled in this case, that sounds plausible but is almost entirely a scam in general (but 100% a scam in this specific case.)

    But we've established that the USG is in fact a UTM. That it doesn't require a subscription to empty your wallet doesn't change that, but clearly does change his opinion over whether or not he can use it to scam you, so he doesn't like it.



  • So I would happily get onto the phone with this rep and your CEO if you'd like. CEO can be on mute. But I will only do a free "expose the scammer" call if someone with the authority to consider legal action is listening. But if the CEO wants to hear him get exposed lying in real time, I'm happy to make that call.


Log in to reply