ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    New customer - greenfield setup

    Scheduled Pinned Locked Moved IT Discussion
    greenfieldnew it setup
    83 Posts 12 Posters 11.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dbeatoD
      dbeato @Dashrender
      last edited by

      @dashrender said in New customer - greenfield setup:

      A NGFW from Sohos will run around
      1 year - $900
      5 years - $1800

      It's definitely not cheap, but the idea of scanning all of the traffic inbound seems nice. Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)

      With the appliance - we could also have multilayers of email scanning - i.e. MX points to Sophos - Sophos then sends to M365.

      With Sophos you can do Web Proxy filtering.
      Youtube Video

      1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @Dashrender
        last edited by JaredBusch

        @dashrender said in New customer - greenfield setup:

        Should they go DNS filtering or NGFW with filtering subscription?

        2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

        But even 2 years ago I would have asked why they actually need filtering.

        Can they not just discipline employees? Because this is jsut stupid talking.

        @dashrender said in New customer - greenfield setup:

        They want web filtering to keep porn/guns/violence, etc at bay.

        DashrenderD scottalanmillerS 4 Replies Last reply Reply Quote 3
        • V
          VoIP_n00b
          last edited by VoIP_n00b

          For filtering I would just do DNS filtering redirect all DNS traffic to your preferred solution. Make sure you include DNS over TLS traffic as @JaredBusch points out.

          1 Reply Last reply Reply Quote 1
          • DashrenderD
            Dashrender @JaredBusch
            last edited by

            @jaredbusch said in New customer - greenfield setup:

            @dashrender said in New customer - greenfield setup:

            Should they go DNS filtering or NGFW with filtering subscription?

            2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

            But even 2 years ago I would have asked why they actually need filtering.

            Can they not just discipline employees? Because this is jsut stupid talking.

            @dashrender said in New customer - greenfield setup:

            They want web filtering to keep porn/guns/violence, etc at bay.

            It's less about employees and what is accessed on their guest WiFi. They will have clients spending hours in the office, likely on the internet much of that time.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @JaredBusch
              last edited by

              @jaredbusch said in New customer - greenfield setup:

              @dashrender said in New customer - greenfield setup:

              Should they go DNS filtering or NGFW with filtering subscription?

              2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

              I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

              Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.

              JaredBuschJ 1 scottalanmillerS 3 Replies Last reply Reply Quote 0
              • DashrenderD
                Dashrender @JaredBusch
                last edited by

                @jaredbusch said in New customer - greenfield setup:

                But even 2 years ago I would have asked why they actually need filtering.

                Can they not just discipline employees? Because this is jsut stupid talking.

                We've all asked this question over the years. And in general I agree with you. Sadly there's more requirements for companies to keep their workspaces harassment free, etc.

                But really, the best reason for DNS filtering is - defense in depth. If the DNS server can keep a computer from even visiting a known good bad IP, that's just one more helper in the war. Sure there are false positives, assuming there aren't many of those, you just fix it and move on. If there are - then you find a new provider who it's so bad at it.

                scottalanmillerS 1 Reply Last reply Reply Quote 1
                • JaredBuschJ
                  JaredBusch @Dashrender
                  last edited by

                  @dashrender said in New customer - greenfield setup:

                  the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

                  And since when has your stands router or Windows Server had DNS over TLS?

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • dave247D
                    dave247
                    last edited by

                    For basic site filter, would you consider OpenDNS? Then, like Jared said, discipline the employees.

                    gjacobseG scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • gjacobseG
                      gjacobse @dave247
                      last edited by

                      @dave247 said in New customer - greenfield setup:

                      discipline the employees

                      Discipline of employees will only get you so far. You can have all the greatest intitions and an employee follows your policies - until - that one employee that becomes disgruntled and starts to poison another. Or in some cases - they try to actually do the job duties only to find that they cannot due to some over reaching policy and starts to find ways around the policy and security.

                      1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @JaredBusch
                        last edited by

                        @jaredbusch said in New customer - greenfield setup:

                        @dashrender said in New customer - greenfield setup:

                        the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

                        And since when has your stands router or Windows Server had DNS over TLS?

                        Good question:

                        Someone created a solution for Edgerouters two years ago
                        https://community.ui.com/questions/DNS-over-TLS-solution-for-EdgeMax-v2/aa0c5c80-1aae-4838-8b31-4dd7028b1219

                        The windows client (10/11) saw it added to beta in 2020:
                        https://www.zdnet.com/article/microsoft-adds-initial-support-for-dns-over-https-doh-in-windows-insiders/
                        And full production:
                        https://techcommunity.microsoft.com/t5/networking-blog/making-doh-discoverable-introducing-ddr/ba-p/2887289

                        Can't find anything about Windows Server DNS being updated as DOH resolver.
                        and no mention of DNS over TLS for Windows yet.

                        1 Reply Last reply Reply Quote 0
                        • notverypunnyN
                          notverypunny
                          last edited by

                          For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

                          DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • 1
                            1337 @Dashrender
                            last edited by 1337

                            @dashrender said in New customer - greenfield setup:

                            @jaredbusch said in New customer - greenfield setup:

                            @dashrender said in New customer - greenfield setup:

                            Should they go DNS filtering or NGFW with filtering subscription?

                            2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

                            I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

                            Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.

                            That's just the thing. You need to block that crap.

                            • Block DNS over TLS in the firewall (port 853 outgoing).
                            • Block DNS over HTTPS in the firewall (port 443 outgoing to IPs of all known DNS providers like 1.1.1.1, 8.8.8.8 etc).
                            • Block DNS in the firewall (port 53 outgoing)
                            • Set up your DNS filtering and set the firewall to provide that DNS to everything on the LAN.

                            My general rule is to block everything outgoing except 80 (for redirect purposes) and 443. Then open up as needed.

                            1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender @notverypunny
                              last edited by

                              @notverypunny said in New customer - greenfield setup:

                              For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

                              Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.

                              notverypunnyN 1 Reply Last reply Reply Quote 0
                              • gjacobseG
                                gjacobse
                                last edited by

                                Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.

                                We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.

                                The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • notverypunnyN
                                  notverypunny @Dashrender
                                  last edited by

                                  @dashrender said in New customer - greenfield setup:

                                  @notverypunny said in New customer - greenfield setup:

                                  For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

                                  Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.

                                  Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.

                                  DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @notverypunny
                                    last edited by

                                    @notverypunny said in New customer - greenfield setup:

                                    @dashrender said in New customer - greenfield setup:

                                    @notverypunny said in New customer - greenfield setup:

                                    For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

                                    Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.

                                    Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.

                                    I personally do refuse to use any guest WiFi that requires the installation of a third party cert to use. That said - I can only recall this happening one time.

                                    I'm not against DNS filtering - all the things Pete.S mentioned, but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.

                                    notverypunnyN scottalanmillerS 2 Replies Last reply Reply Quote 1
                                    • DashrenderD
                                      Dashrender @gjacobse
                                      last edited by

                                      @gjacobse said in New customer - greenfield setup:

                                      Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.

                                      We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.

                                      The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.

                                      These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
                                      Production
                                      IOT - internet only
                                      Guest
                                      medical equipment - future potential

                                      gjacobseG JaredBuschJ 2 Replies Last reply Reply Quote 1
                                      • gjacobseG
                                        gjacobse @Dashrender
                                        last edited by

                                        @dashrender said in New customer - greenfield setup:

                                        @gjacobse said in New customer - greenfield setup:

                                        Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.

                                        We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.

                                        The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.

                                        These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
                                        Production
                                        IOT - internet only
                                        Guest
                                        medical equipment - future potential

                                        lol - well as much as I don't like them - we use Cisco and Meraki... I think we have almost 30 vlans and a dozen SSIDs.. but some are getting added to retire others.

                                        DashrenderD notverypunnyN 2 Replies Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @gjacobse
                                          last edited by

                                          @gjacobse said in New customer - greenfield setup:

                                          @dashrender said in New customer - greenfield setup:

                                          @gjacobse said in New customer - greenfield setup:

                                          Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.

                                          We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.

                                          The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.

                                          These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
                                          Production
                                          IOT - internet only
                                          Guest
                                          medical equipment - future potential

                                          lol - well as much as I don't like them - we use Cisco and Meraki... I think we have almost 30 vlans and a dozen SSIDs.. but some are getting added to retire others.

                                          I would never recommend those to a client. If they demand it, or it's already setup - that's different...

                                          I'd rather look at aurba - though I've heard some positive things about TPLink.

                                          The think for me now is the controller -

                                          1 Reply Last reply Reply Quote 0
                                          • notverypunnyN
                                            notverypunny @Dashrender
                                            last edited by

                                            @dashrender said in New customer - greenfield setup:

                                            @notverypunny said in New customer - greenfield setup:

                                            @dashrender said in New customer - greenfield setup:

                                            @notverypunny said in New customer - greenfield setup:

                                            For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

                                            Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.

                                            Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.

                                            I personally do refuse to use any guest WiFi that requires the installation of a third party cert to use. That said - I can only recall this happening one time.

                                            I'm not against DNS filtering - all the things Pete.S mentioned, but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.

                                            Absolutely this too. A FW shouldn't have to do anything like MiTM for basic webfiltering, just block traffic out to undesirable sites. Your subscription service is keeping that list of sites up to date and accessible to you..... The SO's place of work wants to to dpi / MiTM on their guest wifi, so guess who's data plan got upgraded recently.

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 1 / 5
                                            • First post
                                              Last post