Arg! The money spent the month before I stated here.

Obsolesce

http://static.panoramio.com/photos/large/8439314.jpg

Obsolesce

I hear everything you say about the gateway AV... but I've personally seen a lot of cases where the gateway AV had not been in place, the AV on the client did not detect or the lack of AV would not have detected.

Obsolesce

I'm sure most places may not need it at all, but some environments may.. such as those with a number of devices that may not have AV (not theoretical, because there's some that don't) and some with outdated definitions.

I've seen a lot of AV clients that are running outdated definitions... they are broken and wont update.

There's a lot of places a gateway AV makes sense. Maybe by your technical definition it's not layered security... but in a lot of cases it's the only layer, in which it becomes important... even though you can argue AV should be on those devices.

There are also devices like iPads that won't have AV... if one obtains ransomware on there from the internet... a point is to not even allow the ransomware on the network... block it before it even gets to a device.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

I hear everything you say about the gateway AV... but I've personally seen a lot of cases where the gateway AV had not been in place, the AV on the client did not detect or the lack of AV would not have detected.

That can happen, of course. But this implies that better AV is being used in one place and a lesser one is being kept in the more important place. The takeaway shouldn't have been "good thing we had a UTM", it should have been "oh boy, we need better AV clients."

Also, just because I don't like UTM doesn't mean that I am universally against network access layer AV scanning. I just never want that in my firewall. UTM isn't the same as "scanning AV on the network". The issue that Jared and I have with UTM is where that function is placed.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

I'm sure most places may not need it at all, but some environments may.. such as those with a number of devices that may not have AV (not theoretical, because there's some that don't) and some with outdated definitions.

I've seen a lot of AV clients that are running outdated definitions... they are broken and wont update.

But the answer is... fix them. That makes the UTM a dangerous band aid... a false sense of security.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

There's a lot of places a gateway AV makes sense. Maybe by your technical definition it's not layered security... but in a lot of cases it's the only layer, in which it becomes important... even though you can argue AV should be on those devices.

Right. This is a contrived scenario. It's actually one of the reasons that I think that it is bad. One mistake leading to another, and the second one used to justify the first.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

How do you protect devices without A/V?

I feel like this is a trick question. It's one of those "what about this unnamed or unkown threat" that isn't a real world threat. We don't need to protect against things that don't exist. It sounds sensible... what if "X" happens, what will you do? But that's not how security works. Security you have to assess what are reasonable, realistic threats. AV isn't a broadly useful tool, it's useful in the Windows desktop world and the Mac world, but beyond that, it's not really a valuable thing. You don't need AV on your router, right? You don't need it on your switches.

But asking the question creates an emotional response. Oh no, no antivirus on your switches or access points? How will you protect yourself without a UTM?

Um... I protect myself by that not being a threat vector. There's nothing to protect against.

I was talking client devices, like computers and laptops.. and servers.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

How do you protect devices without A/V?

I feel like this is a trick question. It's one of those "what about this unnamed or unkown threat" that isn't a real world threat. We don't need to protect against things that don't exist. It sounds sensible... what if "X" happens, what will you do? But that's not how security works. Security you have to assess what are reasonable, realistic threats. AV isn't a broadly useful tool, it's useful in the Windows desktop world and the Mac world, but beyond that, it's not really a valuable thing. You don't need AV on your router, right? You don't need it on your switches.

But asking the question creates an emotional response. Oh no, no antivirus on your switches or access points? How will you protect yourself without a UTM?

Um... I protect myself by that not being a threat vector. There's nothing to protect against.

I was talking client devices, like computers and laptops.. and servers.

Then don't deploy them without AV.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

How do you protect devices without A/V?

I feel like this is a trick question. It's one of those "what about this unnamed or unkown threat" that isn't a real world threat. We don't need to protect against things that don't exist. It sounds sensible... what if "X" happens, what will you do? But that's not how security works. Security you have to assess what are reasonable, realistic threats. AV isn't a broadly useful tool, it's useful in the Windows desktop world and the Mac world, but beyond that, it's not really a valuable thing. You don't need AV on your router, right? You don't need it on your switches.

But asking the question creates an emotional response. Oh no, no antivirus on your switches or access points? How will you protect yourself without a UTM?

Um... I protect myself by that not being a threat vector. There's nothing to protect against.

I was talking client devices, like computers and laptops.. and servers.

Then don't deploy them without AV.

We don't.

They break, they get weird... they stop updating. They run Windows... crap happens.

People get the company WiFi password (not the guest wifi) and connect their phones and other devices to it without AV.

There's just a ton of things without AV... in your perfect world, i'm sure isn't the case. But in my world it's how thigns are and there isn't always something I can personally do about it.

I just don't want malware on the network. The SonicWALL has this stuff built in, and easily handels it without performance degradation... the only thing passing through it is internet... it's not like clients accessing the fileserver get slowed down because AV is running on the SonicWALL.

It's great to use if you have it.

It beats having a crappy box doing it. The SonicWALL handles it extremely well.

Obsolesce

I don't want to be part of the reason the company gets ransomware because I wanted to say "I told you so" or to prove a point.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

I don't want to be part of the reason the company gets ransomware because I wanted to say "I told you so" or to prove a point.

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

UTMs don't keep malware off of the network. In a perfect world they keep it from entering through one vector. But all those things that people are plugging in that you don't control - they have all bypassed the UTM and are the bigger threat. If having a UTM ever makes someone feel that they can have AV that isn't updated or a system that isn't matched because they feel that malware was kept off of the network - that's my whole point. I'd rather have the fear and the pressure to keep the network protected universally and not rely on LAN security, than to have LAN security feel good enough to maybe not worry about other things.

It's the human factor more than anything. If the UTM is secret and even management doesn't know... you could make a better case. But if people in decision making positions know about it, I bet it influences how they react to other risk vectors.

scottalanmiller

In a perfect world, of course a UTM might be a good thing. If the UTM never introduced risks, costs, people, or performance issues. But UTMs aren't universally good. At best, they always bring cost, at worst, they bring all of the above. It's a neat idea, but it isn't a pure win. It always comes with trade offs.

Obsolesce

@scottalanmiller

Yeah the trick is treating it as if you have not UTM. That's the case, but even so there's those things I mentioned before. So in my case it's beneficial because without the UTM, nothing would change no matter what I do.

StorageNinja

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

scottalanmiller

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

Just have good security and don't let that happen. Basically what I hear over and over again is "our IT department is bad, so we use UTMs as a bandaid", which is exactly my concern. Is your company only willing to do dangerous things in production because it trusts in LAN centric security?

Obsolesce

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

Things that I have to ask though, are...

• Why are insecure personal devices being allowed onto the network?
• Why is security focus not covering those devices (they bypass security and have access to the LAN?)
• Why do you care if they are protected if the owners do not?

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

I feel like you are saying that "some companies refuse to secure their networks, so we do this to work around that a little and make them feel a little secure". It's "instead of fixing a problem, we band aid." I get it, but it's really important to recognize that there is an actual security gap here, a huge one, that is being ignored. And IT has the power to fix it, but someone running IT up top has decided to leave it open. IT always has control to be secure, but often decides not to be. That's how I see UTM most of the time, an artefact of places deciding to not take security to what I'd consider a minimum bar.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

Things that I have to ask though, are...

• Why are insecure personal devices being allowed onto the network?
• Why is security focus not covering those devices (they bypass security and have access to the LAN?)
• Why do you care if they are protected if the owners do not?

1. That's not my call, and if it were up to me, I'd not allow it. I've already expressed my thoughts on that matter. The consensus on that was to be reactive instead of preventative. Basically, allow it until something bad happens.

2. They are supposed to use the Guest wifi, but users also do know the LAN wifi password. Things get on the LAN.

3. I don't care about their devices at all. What I care about is making sure their devices aren't a network infection vector.

I'm not naive, and I do realize these things shouldn't be that way... and if they were not, then yes the SonicWALL AV is dumb. But that's not the case, and given the environment (not just mine, but many are like that), it can make sense to use it, especially if there is no negative impact.