Network Security - UTM
-
At the moment everything ISP/MPLS is controlled by them we pay for a managed service we don't have access to the routers at sites, they control them they do the firewall bits etc etc. Yes we could but extra Firewall/UTMs in to separate they from us but this wasn't done as they said they could provide Web Filtering with the service, when they switched it on it failed and was told it wouldn't work for us etc lol
(Please remember this was all done before I arrived so it's what I got to work with) -
@hobbit666 said:
At the moment everything ISP/MPLS is controlled by them we pay for a managed service we don't have access to the routers at sites, they control them they do the firewall bits etc etc. Yes we could but extra Firewall/UTMs in to separate they from us but this wasn't done as they said they could provide Web Filtering with the service, when they switched it on it failed and was told it wouldn't work for us etc lol
(Please remember this was all done before I arrived so it's what I got to work with)Okay, so the issue is paying for a service that hasn't been provided and not putting in the proper service when it wasn't provided.
Sounds simple, install the gateways and you are done. It's fine use a managed gateway service, when it works, although you can see why I advise against that kind of thing. You don't want your ISP to control anything more than necessary, ever. It's a fundamentally bad idea. They own you, the ability to extort, even accidentally, is incredible. You want to keep your ISP relationship as lean as possible.
-
So would you recommend (or should it be like this anyway?) having the MPLS provided as is but move the internet "Gateway/Breakout" to our control and separate connection.
i.e. something like this:--
So then the MPLS people are only providing the connection to the WAN network. Then we can drop in a UTM or what ever we need to control/monitor what happening. -
@hobbit666 said:
So would you recommend (or should it be like this anyway?) having the MPLS provided as is but move the internet "Gateway/Breakout" to our control and separate connection.
i.e. something like this:--
So then the MPLS people are only providing the connection to the WAN network. Then we can drop in a UTM or what ever we need to control/monitor what happening.For very special cases, yes. But this is a huge investment into very old style "LAN" thinking. I would generally advice very much the opposite.
-
Things that I would typically advise, given the limited scope of knowledge that I have here...
- Avoid any investment into LAN style thinking.
- Remove the MPLS
- Move to traditional direct Internet WAN links.
- Do no VPN
- Lower costs and increase system performance
- Only consider tight network control if truly necessary, normally it is a negative, not a positive. Only in less than normal circumstances does network control of end users result well. It carries high cost and often negative results.
- Any control or security should be done at the LAN edge of each site with no association between the sites.
-
@scottalanmiller said:
Things that I would typically advise, given the limited scope of knowledge that I have here...
- Avoid any investment into LAN style thinking.
- Remove the MPLS
- Move to traditional direct Internet WAN links.
- Do no VPN
- Lower costs and increase system performance
- Only consider tight network control if truly necessary, normally it is a negative, not a positive. Only in less than normal circumstances does network control of end users result well. It carries high cost and often negative results.
- Any control or security should be done at the LAN edge of each site with no association between the sites.
Thanks for all this Scott, amazing the knowledge that is being presented
When you say LAN style thinking what's todays alternatives? are you thinking Cloud type thinking or SSaS type thing?
Also the move to Direct WAN links? are you talking just normal Internet ISP connections or you thinking more link "Ethernet" links?
-
Problem I have and I will admit to it
This is the largest company in terms of sites and technology I've been at. I've always in the past worked for smaller company's with a single site or just a hand full where I used VPN Site to Site.
So I knowledge in larger scale WAN deployment is lacking and knowledge of what's out there is too. -
@hobbit666 said:
When you say LAN style thinking what's todays alternatives? are you thinking Cloud type thinking or SSaS type thing?
SaaS thinking is a good way to put it. But I don't mean "third party SaaS" or "web" or other SaaS things that are not SaaS but people often assume.
In your case, at least for the time being, I'm thinking that your XenApp handles what you need. The XenApp removed any need for your sites to be linked together. XenApp is turning everything you have into SaaS already, Maybe in an old fashioned way, but that is fine.
-
@hobbit666 said:
Also the move to Direct WAN links? are you talking just normal Internet ISP connections or you thinking more link "Ethernet" links?
I mean that your WAN link goes directly from "your router" to "the Internet". No more things like VPNs, MPLS, etc. There is no need for linking the sites together in a "tightly coupled" way.
-
@scottalanmiller said:
SaaS thinking is a good way to put it. But I don't mean "third party SaaS" or "web" or other SaaS things that are not SaaS but people often assume.
In your case, at least for the time being, I'm thinking that your XenApp handles what you need. The XenApp removed any need for your sites to be linked together. XenApp is turning everything you have into SaaS already, Maybe in an old fashioned way, but that is fine.
So basically make the Citrix Farm available through the internet? Problem is at the moment is doesn't work correctly anyway lol (Yes we have a few issues that have been covered over with big blankets lol) But we are planning on rebuilding the Citrix Farm over the next few months with the latest version so this may be the way to go.
-
@hobbit666 said:
So basically make the Citrix Farm available through the internet?
Correct. -
@hobbit666 said:
Problem is at the moment is doesn't work correctly anyway lol
How is it being used, then? -
@hobbit666 said:
@scottalanmiller said:
Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.
MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway.
See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)
Why are those 6 sites different, unless they aren't part of the MPLS?
-
@scottalanmiller said:
How is it being used, then?
It works but we can't modify any settings etc. it's a "it works so don't touch" case. lol
-
@Dashrender said:
Why are those 6 sites different, unless they aren't part of the MPLS?
Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people) -
@hobbit666 said:
@Dashrender said:
Why are those 6 sites different, unless they aren't part of the MPLS?
Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).
-
@Dashrender said:
@hobbit666 said:
@Dashrender said:
Why are those 6 sites different, unless they aren't part of the MPLS?
Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).
Or just moving to WAN links. MPLS and other high cost, low quality options are generally the cause of those kinds of issues.
-
OK You mentioned that MPLS is used for Citrix? What about network shares? or Active Directory? Are you using any other services over that MPLS line? Including centralized DNS at the HO, etc.
If you go to Scott's no VPN SaaS solution, you will loose those features as well, unless you upgrade everyone to Windows 10 and move to Azure AD.
-
@Dashrender said:
@hobbit666 said:
@Dashrender said:
Why are those 6 sites different, unless they aren't part of the MPLS?
Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).
Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT) -
Sorry should of said yes we have AD as everything is joined to the main Domain. But don't do network shares really due to the speed of some of the links.
But open to migrating to Azure for AD services as we need to upgrade the server this year anyway,
