Network Security - UTM
-
Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.
MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway.
-
@hobbit666 said:
We are but considering replacing the current provider so that would be gone
That's fine, if you have no need for MPLS, but MPLS is what enables what you want. Doing the same thing with VPNs would be very obnoxious. You'd be far better off with Facebook and YouTube on the network than doing that. It would be cutting off your nose to spite your face.
I'm all for moving away from expensive MPLS circuits, I rarely find that they make sense. But everything you are talking about designing around is based on MPLS, not VPN, utilization.
-
@hobbit666 said:
And yes the Sophos solution would be Hub and spoke
Which is slow and cumbersome. What services are delivered from the hub?
-
@scottalanmiller said:
Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.
MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway.
See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)
-
@hobbit666 said:
Stop people from using facebook/youtube all day and block sites like Adult material. Also to make sure people aren't using things lie Bit Torrent etc.
Just put in a web filter then, don't look at UTM. UTM is the wrong technology. If you really need this stuff, you can handle it the "easy" way which is stopping people from accidentally doing things that you don't want by just redirecting DNS. If this is a security matter then really you need to ask HR why they are not making a policy against it but asking IT to do something and/or not enforcing the policy and making a mockery of their jobs.
If you must block content, then you use a web filter like Websense or Squid.
-
@hobbit666 said:
See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)
Right, they are the ISP, not the gateway. Your gateway is where the ISP connects to your business.
Think of it like the road, the GATE is at the end of your driveway. You don't ask the local village to maintain your gate, you install a gate and maintain it yourself. It's the point where your personal road (driveway) meets the public one.
-
@scottalanmiller said:
@hobbit666 said:
And yes the Sophos solution would be Hub and spoke
Which is slow and cumbersome. What services are delivered from the hub?
It's where out Dynamics GP sits and all the sites access it via Citrix XenApp. That's all the MPLS is for mainly, then as I mentioned we get Internet access from it too.
-
@scottalanmiller said:
@hobbit666 said:
See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)
Right, they are the ISP, not the gateway. Your gateway is where the ISP connects to your business.
Think of it like the road, the GATE is at the end of your driveway. You don't ask the local village to maintain your gate, you install a gate and maintain it yourself. It's the point where your personal road (driveway) meets the public one.
But where would our gate sit? In there datacentre (as we have asked and we can't)?
As no "internet" traffic passes through us at HO, so each store site when they go on internet it does through ISP/MPLS what ever you label it and out, we have no control.
-
@hobbit666 said:
It's where out Dynamics GP sits and all the sites access it via Citrix XenApp. That's all the MPLS is for mainly, then as I mentioned we get Internet access from it too.
I'm confused. The reason for having XenApp would be to not have MPLS (or VPN.) What function do the MPLS or VPN (Sophos) Red play, then, if you already have XenApp?
Or, to put it another way, it sounds like you've already designed a "LANless" infrastructure but are spending what is likely a fortune creating complexity of extending the LAN to many sites without benefit. The MPLS or the VPN would just be "in the way" making things work more poorly while costing more, right? What benefit to they potentially add?
-
@hobbit666 said:
But where would our gate sit? In there datacentre (as we have asked and we can't)?
Not "would it", but "does it." You must have a router connecting to your MPLS, right? You don't let the MPLS hand you Ethernet and you just plug it into your core switch and have the world open to your network, right?
What do you mean you can't have a gateway router in your datacenter? Even your home has one of these.
-
@hobbit666 said:
As no "internet" traffic passes through us at HO, so each store site when they go on internet it does through ISP/MPLS what ever you label it and out, we have no control.
Then each site has its own gateway. You always have control, that cannot be taken away. The ISP has zero say in that (they can't, it doesn't make sense from a networking perspective.)
It is physically possible for an ISP to provide gateway services for you, but never recommended. But they cannot ever take that capability away from you.
-
At the moment everything ISP/MPLS is controlled by them we pay for a managed service we don't have access to the routers at sites, they control them they do the firewall bits etc etc. Yes we could but extra Firewall/UTMs in to separate they from us but this wasn't done as they said they could provide Web Filtering with the service, when they switched it on it failed and was told it wouldn't work for us etc lol
(Please remember this was all done before I arrived so it's what I got to work with) -
@hobbit666 said:
At the moment everything ISP/MPLS is controlled by them we pay for a managed service we don't have access to the routers at sites, they control them they do the firewall bits etc etc. Yes we could but extra Firewall/UTMs in to separate they from us but this wasn't done as they said they could provide Web Filtering with the service, when they switched it on it failed and was told it wouldn't work for us etc lol
(Please remember this was all done before I arrived so it's what I got to work with)Okay, so the issue is paying for a service that hasn't been provided and not putting in the proper service when it wasn't provided.
Sounds simple, install the gateways and you are done. It's fine use a managed gateway service, when it works, although you can see why I advise against that kind of thing. You don't want your ISP to control anything more than necessary, ever. It's a fundamentally bad idea. They own you, the ability to extort, even accidentally, is incredible. You want to keep your ISP relationship as lean as possible.
-
So would you recommend (or should it be like this anyway?) having the MPLS provided as is but move the internet "Gateway/Breakout" to our control and separate connection.
i.e. something like this:--
So then the MPLS people are only providing the connection to the WAN network. Then we can drop in a UTM or what ever we need to control/monitor what happening. -
@hobbit666 said:
So would you recommend (or should it be like this anyway?) having the MPLS provided as is but move the internet "Gateway/Breakout" to our control and separate connection.
i.e. something like this:--
So then the MPLS people are only providing the connection to the WAN network. Then we can drop in a UTM or what ever we need to control/monitor what happening.For very special cases, yes. But this is a huge investment into very old style "LAN" thinking. I would generally advice very much the opposite.
-
Things that I would typically advise, given the limited scope of knowledge that I have here...
- Avoid any investment into LAN style thinking.
- Remove the MPLS
- Move to traditional direct Internet WAN links.
- Do no VPN
- Lower costs and increase system performance
- Only consider tight network control if truly necessary, normally it is a negative, not a positive. Only in less than normal circumstances does network control of end users result well. It carries high cost and often negative results.
- Any control or security should be done at the LAN edge of each site with no association between the sites.
-
@scottalanmiller said:
Things that I would typically advise, given the limited scope of knowledge that I have here...
- Avoid any investment into LAN style thinking.
- Remove the MPLS
- Move to traditional direct Internet WAN links.
- Do no VPN
- Lower costs and increase system performance
- Only consider tight network control if truly necessary, normally it is a negative, not a positive. Only in less than normal circumstances does network control of end users result well. It carries high cost and often negative results.
- Any control or security should be done at the LAN edge of each site with no association between the sites.
Thanks for all this Scott, amazing the knowledge that is being presented
When you say LAN style thinking what's todays alternatives? are you thinking Cloud type thinking or SSaS type thing?
Also the move to Direct WAN links? are you talking just normal Internet ISP connections or you thinking more link "Ethernet" links?
-
Problem I have and I will admit to it
This is the largest company in terms of sites and technology I've been at. I've always in the past worked for smaller company's with a single site or just a hand full where I used VPN Site to Site.
So I knowledge in larger scale WAN deployment is lacking and knowledge of what's out there is too. -
@hobbit666 said:
When you say LAN style thinking what's todays alternatives? are you thinking Cloud type thinking or SSaS type thing?
SaaS thinking is a good way to put it. But I don't mean "third party SaaS" or "web" or other SaaS things that are not SaaS but people often assume.
In your case, at least for the time being, I'm thinking that your XenApp handles what you need. The XenApp removed any need for your sites to be linked together. XenApp is turning everything you have into SaaS already, Maybe in an old fashioned way, but that is fine.
-
@hobbit666 said:
Also the move to Direct WAN links? are you talking just normal Internet ISP connections or you thinking more link "Ethernet" links?
I mean that your WAN link goes directly from "your router" to "the Internet". No more things like VPNs, MPLS, etc. There is no need for linking the sites together in a "tightly coupled" way.