Arg! The money spent the month before I stated here.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
-
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
Have fun with that.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
Have fun with that.
What makes you think your favored solution isn't using ClamAV and Snort under the hood?
-
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
Have fun with that.
What makes you think your favored solution isn't using ClamAV and Snort under the hood?
My favored solution is local A/V on every device, such as ESET, plus at the network gateway / firewall (and using SSL inspection when possible), local firewall enabled on all network clients, etc etc.
What are you using? or are you just relying on a single layer? Can you guarantee A/V is running and up to date on every device on your wired and wireless network at all times?
-
I don't know what size your company is, but when you have thousands of devices and hundreds of users... you need layers. You need layers no matter what actually.
-
@tim_g said in Arg! The money spent the month before I stated here.:
I don't know what size your company is, but when you have thousands of devices and hundreds of users... you need layers. You need layers no matter what actually.
@travisdh1 said in Arg! The money spent the month before I stated here.:
not that security in-depth isn't a good thing.
It doesn't matter what "size" the organization is, you need layered security everywhere, period.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@travisdh1 said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass through the firewall. Both together are better.
Why do you need to pay so much money when you can get the same functionality free? That's my beef, not that security in-depth isn't a good thing.
Where do you get good SSL-DPI for free, with reliable gateway AV?
Every proxy server around offers that.
Have fun with that.
What makes you think your favored solution isn't using ClamAV and Snort under the hood?
My favored solution is local A/V on every device, such as ESET, plus at the network gateway / firewall (and using SSL inspection when possible), local firewall enabled on all network clients, etc etc.
What are you using?
Right now, Sophos. Soon to be Wazah and snort/clamav instead.
or are you just relying on a single layer?
No, and nobody should.
Can you guarantee A/V is running and up to date on every device on your wired and wireless network at all times?
Part of the job is dealing with the public, so no. I guarantee the guest network is littered with junk.
The secured network tho, yes.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
A lot of malware such as ransomware is delivered from legitimate SSL sites that have been hacked.
So if you don't have some kind of SSL Inspection (like SonicWALL's SSL-DPI), then you are solely relying on your users' AV and ability to spot fake "java update" ads for example.
You are relying on the same thing in both cases, just one runs no a central processor and one runs closer to the end user. Same scanning functionality, though.
Security in layers... why not one at the gateway?
Because it's the wrong place to be adding in extra services. And its redudant. You HAVE to have that security at the end point, having it twice isn't really layers, it's just lost money.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
...and ability to spot fake "java update" ads for example.
No, that's not how that works. Anything that runs on the router can be run on the client machine. The idea that UTM can do something that traditional AV cannot is incorrect. It's the same thing, just one runs on a low powered shared machine and one runs on the high powered desktop.
It works because one protects against stuff that bypasses the firewall... like if you plug in an infected USB stick, or some other means of bypassing the firewall.
And the other helps against things that pass do through the firewall (like a pc connecting to the internet). Both together are better.
Actually no, it's not better. The one protects against both things, the other is just a replication of the part of the other. It doesn't add anything, it just makes the network slower and makes admins more likely to be lazy.
-
@tim_g said in Arg! The money spent the month before I stated here.:
My favored solution is local A/V on every device, such as ESET....
We specifically found ESET to be unreliable and the company untrustworthy.
-
@tim_g said in Arg! The money spent the month before I stated here.:
What are you using? or are you just relying on a single layer? Can you guarantee A/V is running and up to date on every device on your wired and wireless network at all times?
You can guarantee that about as easily as you can guarantee that it is up and running and up to date on the firewall. In both cases, you have to check. But the firewall doesn't add any protection if you have it on the clients. But the clients need it regardless of it is on the firewall.
-
@tim_g said in Arg! The money spent the month before I stated here.:
I don't know what size your company is, but when you have thousands of devices and hundreds of users... you need layers. You need layers no matter what actually.
It's a misuse of the concept of layers. Layers refer to "extra" and "different" protections. This is really the same layer done twice... once well and once not well.
-
UTM security is really just "LAN security" at the extreme. Protecting the LAN. It's all sales hype from network vendors.
-
So all you recommend to your clients is to have A/V on their computers, a firewall, and that's it? How do you protect devices without A/V?
-
@tim_g said in Arg! The money spent the month before I stated here.:
So all you recommend to your clients is to have A/V on their computers, a firewall, and that's it? How do you protect devices without A/V?
Exactly. What device without AV needs AV? What's the theoretical threat that the UTM protects against?
-
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
My favored solution is local A/V on every device, such as ESET....
We specifically found ESET to be unreliable and the company untrustworthy.
ESET has a MUCH better detection rate than ClamAV for example. Unless ClamAV has gotten better in the last year or so, there's no way I'd trust it as my main line of A/V defense.
-
@tim_g said in Arg! The money spent the month before I stated here.:
How do you protect devices without A/V?
I feel like this is a trick question. It's one of those "what about this unnamed or unkown threat" that isn't a real world threat. We don't need to protect against things that don't exist. It sounds sensible... what if "X" happens, what will you do? But that's not how security works. Security you have to assess what are reasonable, realistic threats. AV isn't a broadly useful tool, it's useful in the Windows desktop world and the Mac world, but beyond that, it's not really a valuable thing. You don't need AV on your router, right? You don't need it on your switches.
But asking the question creates an emotional response. Oh no, no antivirus on your switches or access points? How will you protect yourself without a UTM?
Um... I protect myself by that not being a threat vector. There's nothing to protect against.
-
@tim_g said in Arg! The money spent the month before I stated here.:
@scottalanmiller said in Arg! The money spent the month before I stated here.:
@tim_g said in Arg! The money spent the month before I stated here.:
My favored solution is local A/V on every device, such as ESET....
We specifically found ESET to be unreliable and the company untrustworthy.
ESET has a MUCH better detection rate than ClamAV for example. Unless ClamAV has gotten better in the last year or so, there's no way I'd trust it as my main line of A/V defense.
Not from what we found. ESET had a 0% detection rate because the vendor would cripple it remotely to extort more money. Completely unreliable.
-
@tim_g said in Arg! The money spent the month before I stated here.:
Unless ClamAV has gotten better in the last year or so, there's no way I'd trust it as my main line of A/V defense.
That's our take with ESET. Wouldn't trust it with any line of defense. Don't trust the product as it has a remote kill switch (that gets used.) And definitely can't trust the vendor, they are unethical and openly their customers' enemy. They are more of someone to protect the LAN against, not to let in the door. Lessons learned the hard way.
-
I've personally seen it protect against thousands of threats... before others have. Logs to prove it. It's great for central management, keeping definitions updated, showing if any devices are not up to date... shows if windows updates are not current as well.