Network Security - UTM
-
@Breffni-Potter said:
@hobbit666 said:
@Breffni-Potter said:
@hobbit666 Did someone say PCI? Hold everything!
What level of PCI compliance are you working towards? Or has the goal not been set yet?
No idea its a "buzz" word i've been hearing from meetings that i've not been attending. Most coming from the Credit Control dept and our CRM person
@hobbit666 It's not a buzz word. - You need to get clarity on what they are trying to do and help them achieve it.
You could very easily find yourself with an auditor breathing down your neck with a system design that is non compliant.
So the first question, are they going for self assessment? Which means far more relaxed requirements.
Yeah I think the people in charge looking into PCI and other aspects of data protection etc are trying to get to grips on where we lye with them in terms of what we need to be compliant.
e.g. we don't store Credit Card details anywhere on our equipment. But we do have personnel information and credit details as we deal with accounts for people purchasing goods. But we are also moving into the world of lending people money to get farms stocked and running.
-
@hobbit666 said:
If we take the Citrix for example and I want to "publish" to all the sites via the internet. Wouldn't I need something to "secure" the inbound/Outbound traffic to prevent it being a point for hackers??
Citrix is designed for example that exposure. Like a secure website, it is already secured. While securing it "again" does make it more secure, you don't normally make people use a VPN before going to a website, right?
-
@Breffni-Potter said:
@hobbit666 It's not a buzz word.
In IT it is. People don't know how to do it, what it is for, when it is needed but throw the term about like cloud, SAN and other things that they don't understand.
As someone who has to come along after fake PCI auditors and deal with the networks that they expose and unsecure, I assure you to both the majority of IT firms and nearly all businesses, it is nothing but a buzz word.
-
@scottalanmiller said:
@hobbit666 said:
If we take the Citrix for example and I want to "publish" to all the sites via the internet. Wouldn't I need something to "secure" the inbound/Outbound traffic to prevent it being a point for hackers??
Citrix is designed for example that exposure. Like a secure website, it is already secured. While securing it "again" does make it more secure, you don't normally make people use a VPN before going to a website, right?
So in essence choosing the right Core/Edge/In the middle equipment for the network at that location will go a long way in getting rid of the "old" LAN/WAN thinking and move to an enterprise model?
-
@hobbit666 said:
So in essence choosing the right Core/Edge/In the middle equipment for the network at that location will go a long way in getting rid of the "old" LAN/WAN thinking and move to an enterprise model?
Well it would encourage it less. But spending a fortune on things like a UTM encourage people to think in a LAN way because of where the money goes, because it makes them feel like the LAN is safe when it is only nominally safer at best, etc.
And don't think of it as LAN vs. Enterprise. It's legacy (LAN) vs. future (LANless.) Not about size.
-
@scottalanmiller said:
As someone who has to come along after fake PCI auditors and deal with the networks that they expose and unsecure
Which is why when you have a chance to get ahead of the problem, you should take it rather than shrug and go "Ah, that department is thinking about that" or "I'll let the nice outside company sell us what we need"
-
@scottalanmiller said:
And don't think of it as LAN vs. Enterprise. It's legacy (LAN) vs. future (LANless.) Not about size.
Do you have any links/tips/guides for designing a Site with Future LANless in mind?
-
@hobbit666 said:
@scottalanmiller said:
And don't think of it as LAN vs. Enterprise. It's legacy (LAN) vs. future (LANless.) Not about size.
Do you have any links/tips/guides for designing a Site with Future LANless in mind?
The biggest thing to change, IMHO, is your thinking around "network dependencies." Whenever you design something new, make a change or consider how things work and tie together... how do you think about your dependencies?
For NTG, for years, we have had people working outside of the core offices. We were always thinking... how will I get their phones to work or how will they authenticate or how will they reach this application. At first the answer was often "we will deploy a hardware firewall with VPN capabilities to their home for them" but this was limiting and only partially solved problems. Eventually we moved towards a LANless design. With zero concept of a LAN, things change very quickly. How you think about computers that you work on changes completely.
A few things that we did over the years that really made us reevaluate how we thought about our LAN:
- Unpredicatable, mobile workers who need full functionality no matter where they are.
- Not wanting to be tied to a single OS if possible.
- Not hosting services in house, colo is hard, cloud is harder, multiple clouds is nearly impossible without being LANless.
- Don't consider the LAN as safe, assume it can be, will be and likely is compromised. Consider the LAN just a faster WAN... secure it when you can, but never assume it is secure.
-
@scottalanmiller said:
The biggest thing to change, IMHO, is your thinking around "network dependencies." Whenever you design something new, make a change or consider how things work and tie together... how do you think about your dependencies?
God that sound pain full
-
It takes rather a bit of a change of thinking, that is true. But really, once you do it, life gets much easier.
Suddenly that one guy working remotely becomes... just like everyone else. That unexpected new office or change in company direction... you are prepared for that. The LAN model is very limiting and makes all kinds of things really hard.
Think about everything you have going on with MPLS, VPNs, authentication... all of that goes away.
-
@scottalanmiller said:
It takes rather a bit of a change of thinking, that is true. But really, once you do it, life gets much easier.
Suddenly that one guy working remotely becomes... just like everyone else. That unexpected new office or change in company direction... you are prepared for that. The LAN model is very limiting and makes all kinds of things really hard.
Think about everything you have going on with MPLS, VPNs, authentication... all of that goes away.
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
-
@hobbit666 said:
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
I need to write a paper on NTG's journey
NTG no longer has AD. We have a mixed environment of Windows, Mac and Linux Mint. The Windows was 100% Windows 10 before we started moving off of AD. All of the Windows 10 is on Azure AD, not AD. Azure AD has no LAN dependency. We are looking at testing Linux Mint on Azure AD as that is now available and very exciting.
-
@scottalanmiller said:
@hobbit666 said:
So in this LANless thinking how do NTG handle AD? Or don't you have Active Directory anymore? Or Authentication in general?
I need to write a paper on NTG's journey
NTG no longer has AD. We have a mixed environment of Windows, Mac and Linux Mint. The Windows was 100% Windows 10 before we started moving off of AD. All of the Windows 10 is on Azure AD, not AD. Azure AD has no LAN dependency. We are looking at testing Linux Mint on Azure AD as that is now available and very exciting.
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
-
Azure AD requires Windows 10. Because NTG stays up to date, we get big features sometimes decades ahead of other companies. Little things like allowing an old version of Windows to linger can have massive repercussions that are not well understood when companies evaluate cost and risk.
-
@scottalanmiller said:
Azure AD requires Windows 10. Because NTG stays up to date, we get big features sometimes decades ahead of other companies. Little things like allowing an old version of Windows to linger can have massive repercussions that are not well understood when companies evaluate cost and risk.
Hence the Fog project, also looking at visiting all sites over the next few months to do refresh and tidy up. So maybe Windows 10 could be included.
-
@hobbit666 said:
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
@scottalanmiller Do you know if Azure Sync works with 2003? If not, and you don't want to have to manually recreate all of the users in Azure, you would have to upgrade your AD anyway.
-
@Dashrender said:
@hobbit666 said:
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
@scottalanmiller Do you know if Azure Sync works with 2003? If not, and you don't want to have to manually recreate all of the users in Azure, you would have to upgrade your AD anyway.
I definitely do not know. My guess is that it does not. I would guess, but am purely guessing, that 2008 and newer will work. We did it with 2012 R2. Obviously that works
If you have more than a handful of users and do not already have Office 365 then one option is to do a temporary update to 2012 R2, sync and then drop 2012 R2.
-
@scottalanmiller said:
@Dashrender said:
@hobbit666 said:
Look forward to reading. Will look more closely at Azure AD maybe instead of migrating our 2003 AD onto a 2012 machine.
@scottalanmiller Do you know if Azure Sync works with 2003? If not, and you don't want to have to manually recreate all of the users in Azure, you would have to upgrade your AD anyway.
I definitely do not know. My guess is that it does not. I would guess, but am purely guessing, that 2008 and newer will work. We did it with 2012 R2. Obviously that works
If you have more than a handful of users and do not already have Office 365 then one option is to do a temporary update to 2012 R2, sync and then drop 2012 R2.
Yeah, but if you don't already have a license, that's not a cheap solution either. choices choices.
-
@GregoryHall or @PSX_Defector probably know the answer to this one. It might be as simple as "2003 works."
-
We do have all our users being Sync'd to Office365 at the moment with the sync tool, would that work?