Network Security - UTM

scottalanmiller

@hobbit666 said:

So basically make the Citrix Farm available through the internet?
Correct.

scottalanmiller

@hobbit666 said:

Problem is at the moment is doesn't work correctly anyway lol
How is it being used, then?

Dashrender

@hobbit666 said:

@scottalanmiller said:

Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.

MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway.

See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT)

Why are those 6 sites different, unless they aren't part of the MPLS?

hobbit666

@scottalanmiller said:

How is it being used, then?

It works but we can't modify any settings etc. it's a "it works so don't touch" case. lol

hobbit666

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Dashrender

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

scottalanmiller

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Or just moving to WAN links. MPLS and other high cost, low quality options are generally the cause of those kinds of issues.

Dashrender

OK You mentioned that MPLS is used for Citrix? What about network shares? or Active Directory? Are you using any other services over that MPLS line? Including centralized DNS at the HO, etc.

If you go to Scott's no VPN SaaS solution, you will loose those features as well, unless you upgrade everyone to Windows 10 and move to Azure AD.

hobbit666

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT)

hobbit666

Sorry should of said yes we have AD as everything is joined to the main Domain. But don't do network shares really due to the speed of some of the links.

But open to migrating to Azure for AD services as we need to upgrade the server this year anyway,

scottalanmiller

@Dashrender said:

If you go to Scott's no VPN SaaS solution, you will loose those features as well, unless you upgrade everyone to Windows 10 and move to Azure AD.

That's why I asked what was running over it.

Dashrender

Scott - What is your proposal for managing widely dispersed Windows machines when not using AD? Let's assume that we don't want the end user to have local admin rights - what kind of MDM like solution would you recommend?

Of course we don't know if @hobbit666 uses AD today, but assuming he does, how does he resolve that?

Of course things like file shares can be handled by OwnCloud or SharePoint, or even something like DropBox.

scottalanmiller

@Dashrender said:

Scott - What is your proposal for managing widely dispersed Windows machines when not using AD? Let's assume that we don't want the end user to have local admin rights - what kind of MDM like solution would you recommend?

Some places even go to just using a local admin account tracked by the central IT office. Not ideal, but it works. As an MSP, we see this all the time because lots of SMBs won't pay for AD.

Dashrender

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT)

LOL - is it your job to worry about them moaning that BBC site is slow? is that important to the business? Sounds like an HR problem to me. But - if it is a requirement of the business for it to work, and work well, well that is your problem, and it sounds like you already solved that with the FTTC.

hobbit666

@Dashrender said:

@hobbit666 said:

@Dashrender said:

@hobbit666 said:

@Dashrender said:

Why are those 6 sites different, unless they aren't part of the MPLS?

Basically they have to connections one is the "MPLS" that they use citrix through which will be on a old ADSL connection.
Then we would of upgrade a old CCTV line etc to FTTC and now route "internet" traffic through that to keep the MPLS for Citrix only (these are mainly sites that are classed as offices i.e. sales and admin people)

Was internet traffic so bad at those 6 sites that it caused an issue for the Citrix connection? If so, you could have solved it by putting in filtering on the MPLS device (but as you mentioned it was controlled by the MPLS provider and they couldn't get it working).

Two things really, as these sites were on ADSL connections doing things on the "internet" and doing work through the MPLS are making things slow. So now with the internet on a separate connection they can't moan BBC website is slow lol
When I say ADSL I mean the lowest end of the scale 1Mb if that at times. (We are based in Mid Wales so internet until recently was low priority for BT)

LOL - is it your job to worry about them moaning that BBC site is slow? is that important to the business? Sounds like an HR problem to me. But - if it is a requirement of the business for it to work, and work well, well that is your problem, and it sounds like you already solved that with the FTTC.

Yes as it's got a plug on the end of the router it's down to us, and "internet" is an IT term so yes the connection being slow is out fault too

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

scottalanmiller

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

hobbit666

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

coliver

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

hobbit666

@coliver said:

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

I would take Spiceworks ads with a grain of salt. They are a marketing company not an IT company.

I know it was more a generalisation of UTMs being marketed as a "must have" device to secure your network from threats.

Dashrender

@hobbit666 said:

@scottalanmiller said:

@hobbit666 said:

But kind to why I started this thread is those 6 sites as I see them are security risks as we only have a basic router on them and why I asked if UTMs are not the way to go what is.

Why does a basic router make them a security risk? As long as it isn't a Linksys, you are roughly the same as any Fortune 500.

I don't know are they? From the adverts you see on Spiceworks/Facebook/Anywhere a UTM is the best things to stop hackers getting into your company and stealing your data (like some high profile cases on the news lately). So would you say people don't need UTM devices at all? So where do they fit?

It totally depends on what your goals are.

Personally, from a business perspective, filtering web access seems like a wise thing to do to shrink the exposure your network has to the internet (i.e. you don't users going anywhere and everywhere online).

I know this seems draconian, but do people really need internet access at work if there job doesn't require it's use?

Do people really need to be connected to FB, twitter, etc while doing a job that does not include those things?

Scott talks about the 98% getting in the way of the 2%, well allowing access to those types of things just seems to contribute to that.