ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Thoughts on how I could improve my network security?

    Scheduled Pinned Locked Moved IT Discussion
    187 Posts 13 Posters 31.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @beta
      last edited by

      @beta said in Thoughts on how I could improve my network security?:

      I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

      If it were up to my docs - it would be zero length, zero complexity, and zero change frequency. lol - OK I'm kidding I think they would seriously want 8 or less with no other requirements.

      Personally I think we should be at 12+ characters with no other restrictions.

      1 Reply Last reply Reply Quote 1
      • KellyK
        Kelly @IRJ
        last edited by

        @irj said in Thoughts on how I could improve my network security?:

        @beta said in Thoughts on how I could improve my network security?:

        I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

        The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

        https://pages.nist.gov/800-63-3/

        What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

        IRJI 1 Reply Last reply Reply Quote 0
        • IRJI
          IRJ @Kelly
          last edited by

          @kelly said in Thoughts on how I could improve my network security?:

          @irj said in Thoughts on how I could improve my network security?:

          @beta said in Thoughts on how I could improve my network security?:

          I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

          The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

          https://pages.nist.gov/800-63-3/

          What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

          What Framework do you follow?

          KellyK 1 Reply Last reply Reply Quote 0
          • KellyK
            Kelly @IRJ
            last edited by

            @irj said in Thoughts on how I could improve my network security?:

            @kelly said in Thoughts on how I could improve my network security?:

            @irj said in Thoughts on how I could improve my network security?:

            @beta said in Thoughts on how I could improve my network security?:

            I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

            The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

            https://pages.nist.gov/800-63-3/

            What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

            What Framework do you follow?

            For passwords we have to follow various sets of guidance that are built on the password concepts of last decade, i.e. complexity is the greatest guarantor of security.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch
              last edited by

              I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

              I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

              B 1 Reply Last reply Reply Quote 1
              • B
                beta @JaredBusch
                last edited by

                @jaredbusch said in Thoughts on how I could improve my network security?:

                I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

                I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

                What would you have set it to if you weren't limited by 2008?

                scottalanmillerS JaredBuschJ 2 Replies Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @beta
                  last edited by

                  @beta said in Thoughts on how I could improve my network security?:

                  @jaredbusch said in Thoughts on how I could improve my network security?:

                  I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

                  I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

                  What would you have set it to if you weren't limited by 2008?

                  I like 20.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @scottalanmiller
                    last edited by

                    @scottalanmiller said in Thoughts on how I could improve my network security?:

                    @beta said in Thoughts on how I could improve my network security?:

                    @jaredbusch said in Thoughts on how I could improve my network security?:

                    I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

                    I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

                    What would you have set it to if you weren't limited by 2008?

                    I like 20.

                    I was going to set it to 16.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Kelly
                      last edited by

                      @kelly said in Thoughts on how I could improve my network security?:

                      @irj said in Thoughts on how I could improve my network security?:

                      @kelly said in Thoughts on how I could improve my network security?:

                      @irj said in Thoughts on how I could improve my network security?:

                      @beta said in Thoughts on how I could improve my network security?:

                      I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

                      The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

                      https://pages.nist.gov/800-63-3/

                      What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

                      What Framework do you follow?

                      For passwords we have to follow various sets of guidance that are built on the password concepts of last decade, i.e. complexity is the greatest guarantor of security.

                      Those were known to be wrong in the last decade. That's not old knowledge, it's just universally insecure.

                      1 Reply Last reply Reply Quote 1
                      • JaredBuschJ
                        JaredBusch @beta
                        last edited by JaredBusch

                        @beta said in Thoughts on how I could improve my network security?:

                        @jaredbusch said in Thoughts on how I could improve my network security?:

                        I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

                        I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

                        What would you have set it to if you weren't limited by 2008?

                        2008 R2 not 2008. There is a difference.

                        Related note: I will migrate their domain level to 2012 R2 in late 2018 or 2019 when they move Exchange off premise and can get rid of the rest of their 2008 R2 instances and thus their oldest servers will be 2012 R2 at that time.

                        1 Reply Last reply Reply Quote 0
                        • B
                          beta @JaredBusch
                          last edited by

                          @jaredbusch said in Thoughts on how I could improve my network security?:

                          I would do something along this line:

                          Get good basic firewalls with nice rules setup.

                          Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose.

                          Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal.

                          Have you used Artic Wolf or AlienVault? How'd you like them?

                          1 Reply Last reply Reply Quote 0
                          • Reid CooperR
                            Reid Cooper
                            last edited by

                            AlienVault has a lot of fans. Seems to be the popular choice.

                            1 Reply Last reply Reply Quote 0
                            • dave247D
                              dave247 @scottalanmiller
                              last edited by

                              @scottalanmiller said in Thoughts on how I could improve my network security?:

                              If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

                              What's wrong with Sonicwall? We have that where I work..

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @dave247
                                last edited by

                                @dave247 said in Thoughts on how I could improve my network security?:

                                @scottalanmiller said in Thoughts on how I could improve my network security?:

                                If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

                                What's wrong with Sonicwall? We have that where I work..

                                High cost, low quality, bad vendor. Reverse the question... what's good about them?

                                1. They are a UTM maker, something I think is generally fundamentally wrong as an approach.
                                2. They claim to be for security but have hidden configuration that isn't documented, a big no no in security and IT.
                                3. They intentationally set defaults to break things for no reason like SIP-ALG (SW is the #1 cause for VoIP issues.)
                                4. They are expensive, many times the cost of equipment I consider to be much better.
                                5. They essentially exist only, much like Meraki, to make sales people money. They are like Mary Kay or AmWay - no one buys them intentionally, they buy them from sales people to make them go away. They aren't good enough for people to go looking for them. But when the girl scouts come to your door, you feel bad and buy something small to make them leave, SonicWall is the cheapest thing you can buy from the vendors that sell them, it's a lot like unwanted Girl Scout cookies - you know they are expensive and unhealthy, but you feel you have to buy something.
                                dave247D ObsolesceO 2 Replies Last reply Reply Quote 2
                                • dave247D
                                  dave247 @scottalanmiller
                                  last edited by dave247

                                  @scottalanmiller said in Thoughts on how I could improve my network security?:

                                  @dave247 said in Thoughts on how I could improve my network security?:

                                  @scottalanmiller said in Thoughts on how I could improve my network security?:

                                  If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

                                  What's wrong with Sonicwall? We have that where I work..

                                  High cost, low quality, bad vendor. Reverse the question... what's good about them?

                                  1. They are a UTM maker, something I think is generally fundamentally wrong as an approach.
                                  2. They claim to be for security but have hidden configuration that isn't documented, a big no no in security and IT.
                                  3. They intentationally set defaults to break things for no reason like SIP-ALG (SW is the #1 cause for VoIP issues.)
                                  4. They are expensive, many times the cost of equipment I consider to be much better.
                                  5. They essentially exist only, much like Meraki, to make sales people money. They are like Mary Kay or AmWay - no one buys them intentionally, they buy them from sales people to make them go away. They aren't good enough for people to go looking for them. But when the girl scouts come to your door, you feel bad and buy something small to make them leave, SonicWall is the cheapest thing you can buy from the vendors that sell them, it's a lot like unwanted Girl Scout cookies - you know they are expensive and unhealthy, but you feel you have to buy something.
                                  1. So that's really just your opinion then..
                                  2. Can you elaborate on the "hidden configuration"?
                                  3. I have our VoIP running through a zone on our NSA 3600 with no issues
                                  4. Seems like everything is "expensive" and what you consider better is a matter of opinion
                                  5. I understand getting ripped off by salespeople who push products that the buyer may not truly need, but we've made use of our SonicWall NSA 3600 quite a bit. Its been rock solid. And it's not like it's just a dinky system that's been cobbled together by the manufacturer just to sell as an extra piece of expensive crap. There's a lot of depth to it and it has a lot of good tools and features.

                                  I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.

                                  I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                                  ObsolesceO 1 Reply Last reply Reply Quote 0
                                  • ObsolesceO
                                    Obsolesce @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Thoughts on how I could improve my network security?:

                                    They are like Mary Kay

                                    LOL I liked that one

                                    1 Reply Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @dave247
                                      last edited by Obsolesce

                                      @dave247 said in Thoughts on how I could improve my network security?:

                                      I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
                                      I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                                      This is exactly how it is for me too.

                                      I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

                                      If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

                                      dave247D 1 Reply Last reply Reply Quote 0
                                      • ObsolesceO
                                        Obsolesce
                                        last edited by

                                        In my case it's cheaper to keep it around than to buy and implement a whole new preferred solution.

                                        1 Reply Last reply Reply Quote 0
                                        • dave247D
                                          dave247 @Obsolesce
                                          last edited by dave247

                                          @tim_g said in Thoughts on how I could improve my network security?:

                                          @dave247 said in Thoughts on how I could improve my network security?:

                                          I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
                                          I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                                          This is exactly how it is for me too.

                                          I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

                                          If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

                                          What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @dave247
                                            last edited by

                                            @dave247 said in Thoughts on how I could improve my network security?:

                                            @tim_g said in Thoughts on how I could improve my network security?:

                                            @dave247 said in Thoughts on how I could improve my network security?:

                                            I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
                                            I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.

                                            This is exactly how it is for me too.

                                            I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.

                                            If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.

                                            What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?

                                            Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them.

                                            Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach.

                                            You wouldn't treat your database or even your website this way, why your security system?

                                            dave247D 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 9
                                            • 10
                                            • 2 / 10
                                            • First post
                                              Last post