Network Security - UTM
-
For example, here is the most generic search that I could think of... "hosted email." Not looking for Exchange, not looking for O365, not looking for Microsoft... just someone hosting my email.
First two hits are Rackspace's $2 option and Microsoft O365 Hosted Exchange for $4. No hint of other Office 365 products at all.
Someone looking for email, I think, would be as oblivious to the SMB MS Office packages via O365 as you were to the hosted email ones.
-
That's definitely true - I never did a google search.
In this case I knew to much and it was biting me in the ass.
I knew that O365 included Hosted Exchange - so stupid me figured, well, the base package should be JUST Hosted Exchange, which of course it's not.
-
@Dashrender said:
I knew that O365 included Hosted Exchange - so stupid me figured, well, the base package should be JUST Hosted Exchange, which of course it's not.
Well, it is. The base email package is Just not the base MS Office package. There is one base package that is only Visio.
I can't look at the Office 365 site from here. No matter what you tell it, it displays in Greek and since there isn't even Latin letters there, I can't find any way to set it to English. Another total failure of geographic IP detection. I'm "in" Greece but did not request a Greek site. I even typed in the language code where they put the Greek code but because it is detecting me in Greece it changes back to Greek when rendering the page. Pretty basic website error for a company like MS. They simply work hard to block non-Greek speakers in Greece.
-
Yes we only have Mail boxes at the moment but will be moving tenants once all have been migrated (don't ask ... f**k*ng CRM!!)
We do plan on looking more closely at SharePoint and OneDrive over the next 12 months to get rid of file shares on the server and network. I'll then use the NAS for backups
-
I just thought.........
If we take the Citrix for example and I want to "publish" to all the sites via the internet. Wouldn't I need something to "secure" the inbound/Outbound traffic to prevent it being a point for hackers??
Or would something like a Ubiquiti Edge Router be enough? or am I missing something here?
Excuse the silly questions but as I mentioned this is the largest company I've worked for so my mind still thinks in LAN terms lol.
-
@hobbit666 said:
@Breffni-Potter said:
@hobbit666 Did someone say PCI? Hold everything!
What level of PCI compliance are you working towards? Or has the goal not been set yet?
No idea its a "buzz" word i've been hearing from meetings that i've not been attending. Most coming from the Credit Control dept and our CRM person
@hobbit666 It's not a buzz word. - You need to get clarity on what they are trying to do and help them achieve it.
You could very easily find yourself with an auditor breathing down your neck with a system design that is non compliant.
So the first question, are they going for self assessment? Which means far more relaxed requirements.
-
@Breffni-Potter said:
@hobbit666 said:
@Breffni-Potter said:
@hobbit666 Did someone say PCI? Hold everything!
What level of PCI compliance are you working towards? Or has the goal not been set yet?
No idea its a "buzz" word i've been hearing from meetings that i've not been attending. Most coming from the Credit Control dept and our CRM person
@hobbit666 It's not a buzz word. - You need to get clarity on what they are trying to do and help them achieve it.
You could very easily find yourself with an auditor breathing down your neck with a system design that is non compliant.
So the first question, are they going for self assessment? Which means far more relaxed requirements.
Yeah I think the people in charge looking into PCI and other aspects of data protection etc are trying to get to grips on where we lye with them in terms of what we need to be compliant.
e.g. we don't store Credit Card details anywhere on our equipment. But we do have personnel information and credit details as we deal with accounts for people purchasing goods. But we are also moving into the world of lending people money to get farms stocked and running.
-
@hobbit666 said:
If we take the Citrix for example and I want to "publish" to all the sites via the internet. Wouldn't I need something to "secure" the inbound/Outbound traffic to prevent it being a point for hackers??
Citrix is designed for example that exposure. Like a secure website, it is already secured. While securing it "again" does make it more secure, you don't normally make people use a VPN before going to a website, right?
-
@Breffni-Potter said:
@hobbit666 It's not a buzz word.
In IT it is. People don't know how to do it, what it is for, when it is needed but throw the term about like cloud, SAN and other things that they don't understand.
As someone who has to come along after fake PCI auditors and deal with the networks that they expose and unsecure, I assure you to both the majority of IT firms and nearly all businesses, it is nothing but a buzz word.
-
@scottalanmiller said:
@hobbit666 said:
If we take the Citrix for example and I want to "publish" to all the sites via the internet. Wouldn't I need something to "secure" the inbound/Outbound traffic to prevent it being a point for hackers??
Citrix is designed for example that exposure. Like a secure website, it is already secured. While securing it "again" does make it more secure, you don't normally make people use a VPN before going to a website, right?
So in essence choosing the right Core/Edge/In the middle equipment for the network at that location will go a long way in getting rid of the "old" LAN/WAN thinking and move to an enterprise model?
-
@hobbit666 said:
So in essence choosing the right Core/Edge/In the middle equipment for the network at that location will go a long way in getting rid of the "old" LAN/WAN thinking and move to an enterprise model?
Well it would encourage it less. But spending a fortune on things like a UTM encourage people to think in a LAN way because of where the money goes, because it makes them feel like the LAN is safe when it is only nominally safer at best, etc.
And don't think of it as LAN vs. Enterprise. It's legacy (LAN) vs. future (LANless.) Not about size.
-
@scottalanmiller said:
As someone who has to come along after fake PCI auditors and deal with the networks that they expose and unsecure
Which is why when you have a chance to get ahead of the problem, you should take it rather than shrug and go "Ah, that department is thinking about that" or "I'll let the nice outside company sell us what we need"
-
@scottalanmiller said:
And don't think of it as LAN vs. Enterprise. It's legacy (LAN) vs. future (LANless.) Not about size.
Do you have any links/tips/guides for designing a Site with Future LANless in mind?
-
@hobbit666 said:
@scottalanmiller said:
And don't think of it as LAN vs. Enterprise. It's legacy (LAN) vs. future (LANless.) Not about size.
Do you have any links/tips/guides for designing a Site with Future LANless in mind?
The biggest thing to change, IMHO, is your thinking around "network dependencies." Whenever you design something new, make a change or consider how things work and tie together... how do you think about your dependencies?
For NTG, for years, we have had people working outside of the core offices. We were always thinking... how will I get their phones to work or how will they authenticate or how will they reach this application. At first the answer was often "we will deploy a hardware firewall with VPN capabilities to their home for them" but this was limiting and only partially solved problems. Eventually we moved towards a LANless design. With zero concept of a LAN, things change very quickly. How you think about computers that you work on changes completely.
A few things that we did over the years that really made us reevaluate how we thought about our LAN:
- Unpredicatable, mobile workers who need full functionality no matter where they are.
- Not wanting to be tied to a single OS if possible.
- Not hosting services in house, colo is hard, cloud is harder, multiple clouds is nearly impossible without being LANless.
- Don't consider the LAN as safe, assume it can be, will be and likely is compromised. Consider the LAN just a faster WAN... secure it when you can, but never assume it is secure.
-
@scottalanmiller said:
The biggest thing to change, IMHO, is your thinking around "network dependencies." Whenever you design something new, make a change or consider how things work and tie together... how do you think about your dependencies?
God that sound pain full
-
It takes rather a bit of a change of thinking, that is true. But really, once you do it, life gets much easier.
Suddenly that one guy working remotely becomes... just like everyone else. That unexpected new office or change in company direction... you are prepared for that. The LAN model is very limiting and makes all kinds of things really hard.
Think about everything you have going on with MPLS, VPNs, authentication... all of that goes away.
-
@scottalanmiller said:
It takes rather a bit of a change of thinking, that is true. But really, once you do it, life gets much easier.
Suddenly that one guy working remotely becomes... just like everyone else. That unexpected new office or change in company direction... you are prepared for that. The LAN model is very limiting and makes all kinds of things really hard.
Think about everything you have going on with MPLS, VPNs, authentication... all of that goes away.
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
-
@hobbit666 said:
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
I need to write a paper on NTG's journey
NTG no longer has AD. We have a mixed environment of Windows, Mac and Linux Mint. The Windows was 100% Windows 10 before we started moving off of AD. All of the Windows 10 is on Azure AD, not AD. Azure AD has no LAN dependency. We are looking at testing Linux Mint on Azure AD as that is now available and very exciting.
-
@scottalanmiller said:
@hobbit666 said:
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
I need to write a paper on NTG's journey
NTG no longer has AD. We have a mixed environment of Windows, Mac and Linux Mint. The Windows was 100% Windows 10 before we started moving off of AD. All of the Windows 10 is on Azure AD, not AD. Azure AD has no LAN dependency. We are looking at testing Linux Mint on Azure AD as that is now available and very exciting.
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
-
Azure AD requires Windows 10. Because NTG stays up to date, we get big features sometimes decades ahead of other companies. Little things like allowing an old version of Windows to linger can have massive repercussions that are not well understood when companies evaluate cost and risk.