Thoughts on how I could improve my network security?
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @jmoore said in Thoughts on how I could improve my network security?: @dashrender said in Thoughts on how I could improve my network security?: @jmoore said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places. Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason. So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them. It is not only the IT industry that does this. The audio/video industry does this also, maybe others do too. In a business or enterprise setup we never use equipment that contains all the functions in a single box, which is analogous to UTM's in the IT space. We separate out all the functions because it is more versatile, more reliable, usually more cost effective, and easier to troubleshoot issues. Do companies make boxes that include a pre-amp, amp, tuner, networking, storage, disc players, switchting, video processors and sound processors? Yes they do. Should you ever use one if your a business? Absolutely not if you can avoid it. If you have no other choice, like if someone else bought it and its your job to support then you just have to make do. If you have the budget then use separates, whether vm's or physical devices if you can't use a vm. I take it you don't like audio receivers then? I do not. They will work but the sound is always better if you use separates. If something breaks in the receiver then you fix or replace the whole unit so its usually more expensive. If you want to mix and match components you can't do that either with a receiver or with any other multifunction boxes. Just my opinion. Especially real receivers that have radio and crap in them. That's just silly. Why listens to the radio from a receiver? But all that electronics in the box, it just makes the audio worst. I even moved away from pre-amps for that reason. Yeah all of those components will interfere with each other to varying degrees. That makes transmission of data less reliable. It is like putting an access point behind a concrete wall and expect it to transmit outward to your users reliably. 
- 
 @tim_g said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @tim_g said in Thoughts on how I could improve my network security?: ... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason. Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care. Okay I see what you mean now. Basically, I see "IT Advice" as defining "what good looks like" so that we have a bar against which to measure, because we can't look at real world businesses, as they rare do things well. I like the term "what good looks like" a lot, it's a good way to discuss things. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @tim_g said in Thoughts on how I could improve my network security?: ... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason. Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care. hmm... I guess what I'd like to get out of all of these conversations is a way to convince them to do it right. We all already know that many, dare I say most, do it wrong. The best that we can hope to come away from these types of conversations are ways to convince them to change. 
- 
 @dashrender said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @tim_g said in Thoughts on how I could improve my network security?: ... as in Scott's world all SMBs are doing everything correctly. I was pointing out that it's the opposite. Most SMBs are not following best practices for whatever reason. Right, which is exactly what I say ALL the time. In every thread. We have this same discussion constantly and I'm always pointing out, more than anyone, how SMBs do nothing right, that they should still follow best practices, and regardless of the fact that they don't listen or care does not mean that we should alter what is "good advice" to intentionally give bad advice just because most people don't care. hmm... I guess what I'd like to get out of all of these conversations is a way to convince them to do it right. Three stages, each is relatively discrete. - Determine what is "right". Meaning, what is good for the business. E.g. what should IT do.
- Convince them to want good business to matter.
- Convey good IT to them in a way that makes sense.
 Each step is a different thing entirely. Part one is what we are tackling here. What does "good look like"? Part two, you can't talk people into, if you are at a company where they don't care and that's not okay for you, you need to leave. If they don't care and you don't care, fine. Then, once one and two are done, it's about talking in business terms, which is important, but a separate task to tackle. 
- 
 @dashrender said in Thoughts on how I could improve my network security?: The best that we can hope to come away from these types of conversations are ways to convince them to change. Not really, not these conversations. These conversations are about determining what is the thing that we should try to convince them of, rather than how to try to convince them. In a healthy company, we'd never need that part, but we always need this part. This is all step one. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home. Do you put a lot of stock into NSS Labs reports? In doing research, I'm kinda surprised to see Palo Alto isn't rated really high on the NGFW SVM. They do better on the NGIPS SVM, but Fortinet, Forecepoint, and TrendMicro are rated higher. 
- 
 And totally off topic, but is there an easy way I can see my posting history to find threads I started? 
- 
 
- 
 @beta said in Thoughts on how I could improve my network security?: NSS Labs I lack any real opinion either way, I'm afraid. But rating Fortinet highly in anything is.... concerning. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: Second, a router is always a firewall, the two are always the same thing, have been for decades. I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: Second, a router is always a firewall, the two are always the same thing, have been for decades. I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards. Why? It's 100% true. Can you find any router that isn't a firewall or any firewall that isn't a router? While they are different aspects of the same device, they are the same device. No non-firewall router has been made since the 1990s. And while some firewalls allow you to disable routing functions to become a bridging firewall, I know of no firewall where the L3 routing can't be unabled again. This is considered basic networking knowledge. It's only in the last year or so that people have started this new myth that there is something else that is a firewall. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: Second, a router is always a firewall, the two are always the same thing, have been for decades. I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards. If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth. 
- 
 Perhaps you are thinking that host based firewalls are clearly not on routers, so are some exception to the rule, and I can see where that might be confusing. Host based firewalls, like the ones that run on Windows or Linux, are on end points. However, what's important there, is that all operating systems, including Windows desktops, are routers as well and if you turn on their routing functions will operate as traditional router / firewall combos. It is only that we turn that off and put the firewall into bridging mode by default that it doesn't act this way most of the time. But your desktop has all of the router functionality in it, just as it has all firewall functionality in it. It's just normally turned off. But it holds to the model that the inclusion of firewall functionality always means that routing is an option. Basically you can think of it like this: All routers are firewalls, there is no router made that isn't (handling NAT alone guarantees this no matter what). And all firewalls have the option of routing. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: Second, a router is always a firewall, the two are always the same thing, have been for decades. I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards. If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth. Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that. My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: Second, a router is always a firewall, the two are always the same thing, have been for decades. I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards. If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth. Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that. My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent. Here is the original quote you are referring to: "Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s." This looks nothing like what you claim that I said. In the original quote I was extremely clear in explaining exactly what you claim I was trying to make confusing. I point out even that you CAN separate them, but no one has done so. And that they've been the same thing [devices] for a long time, but not always. How am I confusing someone like this? And with this level of explanation, how can you honestly claim that you think I'm trying to mislead someone when I took the time to make it so obvious that they were separate, but always combined? 
- 
 @dave247 A router is simply a hardware firewall. 
- 
 @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: Second, a router is always a firewall, the two are always the same thing, have been for decades. I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards. If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth. Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that. My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent. Here is the original quote you are referring to: "Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s." This looks nothing like what you claim that I said. In the original quote I was extremely clear in explaining exactly what you claim I was trying to make confusing. I point out even that you CAN separate them, but no one has done so. And that they've been the same thing [devices] for a long time, but not always. How am I confusing someone like this? And with this level of explanation, how can you honestly claim that you think I'm trying to mislead someone when I took the time to make it so obvious that they were separate, but always combined? Look. Really all I'm trying to say is that you should have maybe phrased it as "a router and a firewall always go together", because saying they are the same thing is a very gross over-simplification. It would be like saying the engine in a car is the same thing as the transmission. They always go together, but they are not the same thing. You said they were the same thing, I am saying they are not. I am saying they are not the same thing, because that is the correct thing to say to somebody who says they are the same thing. You can dance around it all you want with your paragraphs of words, but the fact of the matter is you were incorrect, at least in how you described it, and you should just accept that. 
- 
 @tim_g said in Thoughts on how I could improve my network security?: @dave247 A router is simply a hardware firewall. No, that is not correct. It is a gross over-simplification. Routing and firewalling functions are two completely different roles. Yes, routers almost always come with a firewall, but they are absolutely not the same thing. 
- 
 Ok, here is another example of what I am trying to express here: At work, I have a bunch of Dell PowerConnect switches - 5500 and N3000 series. These are referred to and sold as switches. However, they provide multi-layer functions, beyond just L2 switching. Some of the functions they provide are: switching, routing, DHCP server. Does that mean I can refer to this switch as a router instead of a switch? How about if I start calling the switch a server? I wouldn't, because it's not correct. If I said that a switch and router are the same thing, people would be quick to correct me because they are not the same thing. 
- 
 @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: @scottalanmiller said in Thoughts on how I could improve my network security?: @dave247 said in Thoughts on how I could improve my network security?: Second, a router is always a firewall, the two are always the same thing, have been for decades. I still can't believe you said this... really makes it clear that you aren't playing with a full deck of cards. If you think that they are different, explain how. Or show an example of some at least. Instead of saying I'm crazy, explain what you mean as you aren't presenting information, just claiming that basic industry common knowledge is wrong. If the whole industry is wrong, what do you know that we don't? Attacking the person, and not the argument, is the greatest sign of agreement - just tends to indicate that you know it is true but dislike that that is the truth. Well based on what you originally said, you were claiming a firewall and a router were the "same thing". You literally said that. They aren't the same thing because they are two different systems that do two different things. Routers route packets between different networks and firewalls allow or deny traffic based on specified rules. Pretty simple and I'm sure you already actually know that. My point is that while they might always go together in the same piece of equipment, they really aren't the "same thing". You're going to confuse people by telling them they are the same thing and I think that's secretly your intent. Here is the original quote you are referring to: "Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s." This looks nothing like what you claim that I said. In the original quote I was extremely clear in explaining exactly what you claim I was trying to make confusing. I point out even that you CAN separate them, but no one has done so. And that they've been the same thing [devices] for a long time, but not always. How am I confusing someone like this? And with this level of explanation, how can you honestly claim that you think I'm trying to mislead someone when I took the time to make it so obvious that they were separate, but always combined? Look. Really all I'm trying to say is that you should have maybe phrased it as "a router and a firewall always go together", because saying they are the same thing is a very gross over-simplification. It would be like saying the engine in a car is the same thing as the transmission. They always go together, but they are not the same thing. You said they were the same thing, I am saying they are not. I am saying they are not the same thing, because that is the correct thing to say to somebody who says they are the same thing. You can dance around it all you want with your paragraphs of words, but the fact of the matter is you were incorrect, at least in how you described it, and you should just accept that. But I didn't say that. I said that they are always together and made it clear that they were separate, but always together. I wasn't incorrect, I was completely correct. Calling two sentances a "paragraph of words" and describing facts as "dancing around" doesn't change the fact that I said one thing, and you claimed another. Call it what you will, but what I said was correct, factual, useful, and anything but misleading as you try to portray it. It was correct, useful, and helpful to someone who would be unclear as to the meaning. 






