Thoughts on how I could improve my network security?
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend
-
@beta said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend
They are the best in the business. If you can afford them, though. Not cheap stuff.
-
I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).
I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?
-
@beta said in Thoughts on how I could improve my network security?:
I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).
That's basically the minimum bar to even say that you have AV
-
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?
Correct. Firewall for firewall, VMs for server functions. Still Palo Alto, of course, just their software products, not their appliances.
-
-
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
-
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
That's always the real question. I get that there is money to spend, use it or lose it, but still evaluating the real risk and concern is important. What's the itch that is attempting to be scratched?
-
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
-
@dashrender said in Thoughts on how I could improve my network security?:
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
I'd agree there. Cisco ASA were pretty craptastic even when they were new and supported. Start with getting a solid foundation of good gear. That won't use up much of the budget, but it will fix key problems instead of ignoring big issues to get fun toys. Worry about the toys after the core issues are resolved.
-
I'd also suggest if you're looking at Intrusion stuff, go with an IPS that can actually block attacks.
Alienvault makes a good SIEM.
-
Use it or lose it money is always tough. I agree on new firewalls. But beyond that, it's really hard to say. What kinds of things are you allowed to spend money on?
-
I would do something along this line:
Get good basic firewalls with nice rules setup.
Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose.
Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal.
-
I agree, good stuff.
-
@dashrender said in Thoughts on how I could improve my network security?:
Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.
I believe that they are.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
I think my biggest concern is visibility and IDS/IPS.
Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?
That's always the real question. I get that there is money to spend, use it or lose it, but still evaluating the real risk and concern is important. What's the itch that is attempting to be scratched?
So a little more info on our operation here. One of the things I'm concerned about is HIPAA adherence. We have a small department that has a contract with the state to collect some sensitive information from people. It's not even medical information, but they want us to follow HIPAA practices. I thought an IDS/IPS would be especially helpful here to safeguard this information and would help satisfy the state if they ask us what steps we take to secure the information. Of course we do the usual steps to safeguard the information such as it being restricted to only those users who need it via Active Directory permissions. Our users who collect the info are out in the field and their laptops are also using full disk encryption. We have multiple copies of backups onsite and offsite, etc., etc.
It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.
-
@beta said in Thoughts on how I could improve my network security?:
It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.
An ER-L can give you basics in this area. I don't think IDS/IPS gives you this.
-
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.
An ER-L can give you basics in this area. I don't think IDS/IPS gives you this.
Sorry, I didn't mean to imply that's what the IDS/IPS would be for, I was referring to a UTM like appliance like the Palo Alto.
-
AlienVault's UTM works decently if you are on a budget, but requires ALOT of configuration. I spent months working on AlienVault's UTM with my last employer to get it to be reliable.
-
@beta said in Thoughts on how I could improve my network security?:
@dashrender said in Thoughts on how I could improve my network security?:
@beta said in Thoughts on how I could improve my network security?:
It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.
An ER-L can give you basics in this area. I don't think IDS/IPS gives you this.
Sorry, I didn't mean to imply that's what the IDS/IPS would be for, I was referring to a UTM like appliance like the Palo Alto.
But you don't need UTM for that. A normal router does that. It's not even a firewall function. At least for who is using bandwidth.
Now as for websites, you need a proxy for that. But no need for a UTM.