ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    New customer - greenfield setup

    Scheduled Pinned Locked Moved IT Discussion
    greenfieldnew it setup
    83 Posts 12 Posters 11.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @dashrender said in New customer - greenfield setup:

      @jaredbusch said in New customer - greenfield setup:

      @dashrender said in New customer - greenfield setup:

      Should they go DNS filtering or NGFW with filtering subscription?

      2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

      I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

      Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.

      No matter what, someone that wants to work around this will. My phone, for example, would never even know that you blocked me because it always establishes a VPN first. So you'd know that I had a VPN, but that would be the end of it. All that SOPHOS magic, those certs, those IP blocks... none of it would ever show up. All that cost and me, not even trying to work around anything, would totally not be affected.

      DashrenderD 1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @dashrender said in New customer - greenfield setup:

        Sadly there's more requirements for companies to keep their workspaces harassment free, etc.

        No there isn't. There's no requirement or suggestion that any company can or should police visitors use of the internet. Someone lied to you. If that's a requirement, it would exist at the ISP level.

        1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller @dave247
          last edited by

          @dave247 said in New customer - greenfield setup:

          For basic site filter, would you consider OpenDNS? Then, like Jared said, discipline the employees.

          Not employees. So you can't use DNS filtering nor can you discipline. It's about controlling customers. So.... nothing will work.

          DashrenderD 1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @Dashrender
            last edited by

            @dashrender said in New customer - greenfield setup:

            These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be).

            The limit is 4 SSID. Of course that also means 4 VLAN max, since the VLAN is tied to the SSID. But the limit is not VLAN.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @notverypunny
              last edited by

              @notverypunny said in New customer - greenfield setup:

              For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

              Actually I'd say the opposite. DNS is adequate in essentially all business environments because doing nothing is also adequate. DNS filtering helps to prevents accidents and that can be a good thing. But this isn't about business or employees, it's an emotionally driven attempt to control the public that are customers, but without refusing to do business with said customers.

              If this was a business need, then DNS filtering is the only thing that makes sense. It assists employees trying to be good to stay good. It doesn't actually break anything that shouldn't be broken.

              But in this scenario, it's useless.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @dashrender said in New customer - greenfield setup:

                but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.

                Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

                These days, people will just use their cellular service anyway while in your office. All of your liability remains the same. It might feel like offering wifi exposes you, but if someone is going to sue you based on something downloaded or uploaded while on your premises, they will do so whether you made your network available or not.

                JaredBuschJ DashrenderD 3 Replies Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @notverypunny
                  last edited by

                  @notverypunny said in New customer - greenfield setup:

                  @dashrender said in New customer - greenfield setup:

                  @notverypunny said in New customer - greenfield setup:

                  For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.

                  Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.

                  Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.

                  Even someone not very litigious can and should and likely would sue for this. This is a breach so egregious that no one that does so should not be in jail for a super long time. No one is actually considering doing this for guests, but if they actually did, this would be a criminal act of epic proportions.

                  1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @scottalanmiller
                    last edited by

                    @scottalanmiller said in New customer - greenfield setup:

                    Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

                    Most common people will simply get the portal, tap anything it says and thus agree to it all. So yeah, you are wrong that no one does it.

                    scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 1
                    • JaredBuschJ
                      JaredBusch @scottalanmiller
                      last edited by

                      @scottalanmiller said in New customer - greenfield setup:

                      These days, people will just use their cellular service anyway while in your office.

                      From the random stuff I see, I would say that is a 50/50 shot.

                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @JaredBusch
                        last edited by

                        @jaredbusch said in New customer - greenfield setup:

                        @scottalanmiller said in New customer - greenfield setup:

                        These days, people will just use their cellular service anyway while in your office.

                        From the random stuff I see, I would say that is a 50/50 shot.

                        If blocked, i mean

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @scottalanmiller
                          last edited by

                          @scottalanmiller said in New customer - greenfield setup:

                          @jaredbusch said in New customer - greenfield setup:

                          @scottalanmiller said in New customer - greenfield setup:

                          These days, people will just use their cellular service anyway while in your office.

                          From the random stuff I see, I would say that is a 50/50 shot.

                          If blocked, i mean

                          Absolutely, yes.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @JaredBusch
                            last edited by

                            @jaredbusch said in New customer - greenfield setup:

                            @scottalanmiller said in New customer - greenfield setup:

                            Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

                            Most common people will simply get the portal, tap anything it says and thus agree to it all. So yeah, you are wrong that no one does it.

                            Is that all that it takes to get the phone or computer to install the certs and hand over man in the middle access? I've not done it, because... only a crazy person would.... but I thought it took several steps and a lot of warnings from most mobile devices.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @scottalanmiller
                              last edited by Dashrender

                              @scottalanmiller said in New customer - greenfield setup:

                              @dashrender said in New customer - greenfield setup:

                              They want web filtering to keep porn/guns/violence, etc at bay.

                              I'd start by moving this from a hobby/emotional discussion to a business one. What "business value" are they looking for. The point here isn't to make them act like a business if they aren't one, but to use this process to define their real goal because the answer to your question is determined by that.

                              Right now, maybe they did a bunch of research and business thoughts and know that they need some filtering. unlikely, but plausible. But they aren't relaying enough of that information to you (suggesting that there is none) so you don't know how to solve the problem because you are lacking the information necessary to do so that had to be used to make a business decision to do so in the first place.

                              Also, if this WAS a business decision, how did they reach it without talking to their IT and getting the IT costs and options as part of the process? They can't, ergo we know it's an emotional response. But that's separate.

                              I asked them - I know you and JB are likely glaring at me for that one - but that's where it started.

                              I am their IT - they are asking me what they should buy.

                              a few years ago it would have simply been - an EdgeRouter - some Unifi APs and call it good.
                              But really - I mainly started this thread to see if UTM appliances are really a better solution for most businesses today because of the threat landscape. (and maybe not UTM specifically - perhaps separate appliances when/where needed).
                              i.e.
                              web filtering to prevent access from known bad websites/IPs
                              SSL interception/AV scanning at the edge (in addition to the endpoint).

                              So I guess - there hasn't been to much emotion yet - just questions.

                              Why do they want to filter especially on the guest network - seems kinds obvious, they don't want to support people looking at things they don't support - like porn, violence, etc.

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in New customer - greenfield setup:

                                @jaredbusch said in New customer - greenfield setup:

                                Can they not just discipline employees? Because this is jsut stupid talking.

                                No way around this. They see themselves as having a management problem and they are trying to find a scapegoat in IT.

                                This was never about the employees - it's really more about limiting the guests and what they can access.

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in New customer - greenfield setup:

                                  @dashrender said in New customer - greenfield setup:

                                  @jaredbusch said in New customer - greenfield setup:

                                  @dashrender said in New customer - greenfield setup:

                                  Should they go DNS filtering or NGFW with filtering subscription?

                                  2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.

                                  I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.

                                  Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.

                                  No matter what, someone that wants to work around this will. My phone, for example, would never even know that you blocked me because it always establishes a VPN first. So you'd know that I had a VPN, but that would be the end of it. All that SOPHOS magic, those certs, those IP blocks... none of it would ever show up. All that cost and me, not even trying to work around anything, would totally not be affected.

                                  Good point.

                                  1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in New customer - greenfield setup:

                                    @dave247 said in New customer - greenfield setup:

                                    For basic site filter, would you consider OpenDNS? Then, like Jared said, discipline the employees.

                                    Not employees. So you can't use DNS filtering nor can you discipline. It's about controlling customers. So.... nothing will work.

                                    While primarily for customers - the employees would also be limited...

                                    But yeah - I see the rabbit whole that's being generated here now.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @JaredBusch
                                      last edited by

                                      @jaredbusch said in New customer - greenfield setup:

                                      @dashrender said in New customer - greenfield setup:

                                      These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be).

                                      The limit is 4 SSID. Of course that also means 4 VLAN max, since the VLAN is tied to the SSID. But the limit is not VLAN.

                                      aww - yes, you're starting it right... but clearly you understood my end point. 🙂 Thanks for the correction.

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in New customer - greenfield setup:

                                        @dashrender said in New customer - greenfield setup:

                                        but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.

                                        Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

                                        You missed the reality of what I was saying -

                                        I've been on guest wifi networks that sent you to a captive portal and required you to install their SSL cert so you could surf, and they could intercept all your traffic.

                                        I was saying I was unwilling to make that a requirement on this client's network (they haven't asked for it, and I as their current IT wouldn't recommend it if they did).

                                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                                        • DashrenderD
                                          Dashrender @JaredBusch
                                          last edited by

                                          @jaredbusch said in New customer - greenfield setup:

                                          @scottalanmiller said in New customer - greenfield setup:

                                          Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

                                          Most common people will simply get the portal, tap anything it says and thus agree to it all. So yeah, you are wrong that no one does it.

                                          Exactly - I have seen this - exactly once - and myself just walked away from that access point.

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said in New customer - greenfield setup:

                                            @jaredbusch said in New customer - greenfield setup:

                                            @scottalanmiller said in New customer - greenfield setup:

                                            Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.

                                            Most common people will simply get the portal, tap anything it says and thus agree to it all. So yeah, you are wrong that no one does it.

                                            Is that all that it takes to get the phone or computer to install the certs and hand over man in the middle access? I've not done it, because... only a crazy person would.... but I thought it took several steps and a lot of warnings from most mobile devices.

                                            Yeah - there are a few warnings... but most people will simply accept it and start surfing - it's crazy... they have no clue what they are giving up. and even worse a surprising number wouldn't care even if you got them to actually understand it.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 3 / 5
                                            • First post
                                              Last post