Thoughts on how I could improve my network security?
-
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
LOL - of course - but the expense of splitting out all of the components isn't worth it for me personally, not to mention that I'm not an audiophile in any type of way, so unbelievably great audio quality isn't something I need or care about.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
Especially real receivers that have radio and crap in them. That's just silly. Why listens to the radio from a receiver?
But all that electronics in the box, it just makes the audio worst. I even moved away from pre-amps for that reason.
I'll start a new thread.
-
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
LOL - of course - but the expense of splitting out all of the components isn't worth it for me personally, not to mention that I'm not an audiophile in any type of way, so unbelievably great audio quality isn't something I need or care about.
Doesn't cost more, can even cost less. It's actually audiophilia where I learned this best. I had forgotten this. But it was because I came from that world that I was so well versed that enterprise class stuff was normally cheaper than mid-range. It's the mid-range / prosumer world where they normally get you. This is where UTM is. It's where someone knows they want to be "cooler than consumer" but aren't yet prepared to do proper research or treat themselves like enterprise (or Hi Fi). The result is someone that is easy to take advantage of - the UTM or receiver markets are where the big sales and big profits are.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
A lot of places will have SonicWALLs who haven't gotten it through an ITSP. Upper management made the decision to get a SonicWALL through their own research. And that's the way it is, in the real world. Not in Scott's world, but the real world.
Where Scott's world = "good business".
Scott never, ever suggested businesses made good decisions. Scott teaches how to make good decisions. Don't equate Scott's ideas of "what good looks like" with a misconception that I think the normal world looks good. The average business is idiotic and fails in under five years. "Normal" means abject failure in business.
I was pointing out how you are defining the real world as being best practice followers ... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
They should be, but aren't for a ton of different reasons. That's all.
-
@tim_g said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
A lot of places will have SonicWALLs who haven't gotten it through an ITSP. Upper management made the decision to get a SonicWALL through their own research. And that's the way it is, in the real world. Not in Scott's world, but the real world.
Where Scott's world = "good business".
Scott never, ever suggested businesses made good decisions. Scott teaches how to make good decisions. Don't equate Scott's ideas of "what good looks like" with a misconception that I think the normal world looks good. The average business is idiotic and fails in under five years. "Normal" means abject failure in business.
I was pointing out how you are defining the real world as being best practice followers ...
When did I ever say that? I keep saying that it is the opposite of that.
-
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
Okay I see what you mean now.
-
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
LOL - of course - but the expense of splitting out all of the components isn't worth it for me personally, not to mention that I'm not an audiophile in any type of way, so unbelievably great audio quality isn't something I need or care about.
Well I certainly understand that. What is good enough for someone is a totally different discussion. I was only talking about the best thing to do if your putting this in a business or a homeowner that care a lot. As in most things, you just have to determine what your needs are and then go from there. Nothing wrong with that.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@jmoore said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm.
I take it you don't like audio receivers then?
I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion.
Especially real receivers that have radio and crap in them. That's just silly. Why listens to the radio from a receiver?
But all that electronics in the box, it just makes the audio worst. I even moved away from pre-amps for that reason.
Yeah all of those components will interfere with each other to varying degrees. That makes transmission of data less reliable. It is like putting an access point behind a concrete wall and expect it to transmit outward to your users reliably.
-
@tim_g said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
Okay I see what you mean now.
Basically, I see "IT Advice" as defining "what good looks like" so that we have a bar against which to measure, because we can't look at real world businesses, as they rare do things well.
I like the term "what good looks like" a lot, it's a good way to discuss things.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
hmm... I guess what I'd like to get out of all of these conversations is a way to convince them to do it right.
We all already know that many, dare I say most, do it wrong. The best that we can hope to come away from these types of conversations are ways to convince them to change.
-
@dashrender said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason.
Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care.
hmm... I guess what I'd like to get out of all of these conversations is a way to convince them to do it right.
Three stages, each is relatively discrete.
- Determine what is "right". Meaning, what is good for the business. E.g. what should IT do.
- Convince them to want good business to matter.
- Convey good IT to them in a way that makes sense.
Each step is a different thing entirely. Part one is what we are tackling here. What does "good look like"? Part two, you can't talk people into, if you are at a company where they don't care and that's not okay for you, you need to leave. If they don't care and you don't care, fine. Then, once one and two are done, it's about talking in business terms, which is important, but a separate task to tackle.
-
@dashrender said in Thoughts on how I could improve my network security?:
The best that we can hope to come away from these types of conversations are ways to convince them to change.
Not really, not these conversations. These conversations are about determining what is the thing that we should try to convince them of, rather than how to try to convince them.
In a healthy company, we'd never need that part, but we always need this part. This is all step one.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Do you put a lot of stock into NSS Labs reports? In doing research, I'm kinda surprised to see Palo Alto isn't rated really high on the NGFW SVM. They do better on the NGIPS SVM, but Fortinet, Forecepoint, and TrendMicro are rated higher.
-
And totally off topic, but is there an easy way I can see my posting history to find threads I started?
-
-
@beta said in Thoughts on how I could improve my network security?:
NSS Labs
I lack any real opinion either way, I'm afraid. But rating Fortinet highly in anything is.... concerning.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
Second, a router is always a firewall, the two are always the same thing, have been for decades.
I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.
-
@dave247 said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
Second, a router is always a firewall, the two are always the same thing, have been for decades.
I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.
Why? It's 100% true. Can you find any router that isn't a firewall or any firewall that isn't a router? While they are different aspects of the same device, they are the same device. No non-firewall router has been made since the 1990s. And while some firewalls allow you to disable routing functions to become a bridging firewall, I know of no firewall where the L3 routing can't be unabled again.
This is considered basic networking knowledge. It's only in the last year or so that people have started this new myth that there is something else that is a firewall.
-
@dave247 said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
Second, a router is always a firewall, the two are always the same thing, have been for decades.
I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards.
If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth.