ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Thoughts on how I could improve my network security?

    Scheduled Pinned Locked Moved IT Discussion
    187 Posts 13 Posters 31.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      beta
      last edited by

      Hey folks, I posted over at SW, thought I might as well post here too.

      I've got an unforeseen $15k or so (maybe a little more) from an unexpected grant that we need to spend on IT before the end of the year. I think it would be wise to invest towards our network and security. One of my biggest annoyances with our current environment is I really don't have a lot of visibility into our network traffic. I was thinking of investing in a new firewall appliance that can do layer 7 inspection and would also be a UTM with IDS/IPS built-in.

      My current environment has an ASA 5512-x at the perimeter with a separate interface for a DMZ segment that hosts a web server used by our business partners. Behind another interface of the ASA is our Cisco 2901 router which routes our internal VLANs (data, voice, telemetry, etc.). Our switches our Cisco 2960 switches. The ASA is configured to block most incoming traffic except a few select ports and I have outbound ports restricted as well to common services like HTTP/S, NTP, DNS, etc. Of course we employ antivirus and antimalware to each endpoint on the corporate LAN. We also use SRP whitelisting and follow best practices of not allowing users administrator rights.

      I believe I can buy Firepower services to add to our ASA, but I wasn't sure how well this work as I know Cisco bought Sourcefire and kinda cobbled them together on their ASA platform. Also the 5512-x is already end of sale so I thought maybe it would be a good time to just upgrade the whole box.

      We have about 90 users/computers at HQ and 3 users/computers at 2 branch sites we have connected via VPN. Internet pipe at HQ is 50/50.

      I think my second priority would be some kind of SIEM to centralize logging and easily correlate events, but I think I should probably start with looking at some UTM or IDS/IPS first? Any thoughts on what you would look at in a similar situation or what you would recommend?

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller
        last edited by

        I'm not a fan of UTMs, and neither is Jared. Both of us share the idea that mashing lots of functions into your router is a bad idea. A normal firewall is insanely simple and just access controls on routing, which is fine. But UTM functions do not below in the router. They are intensive, need totally different types of maintenance, and use very different profiles. If you want UTM-like functionality, I would essentially always put it on a VM and send traffic to it from the router, not have the router itself do that work.

        B 1 Reply Last reply Reply Quote 2
        • scottalanmillerS
          scottalanmiller
          last edited by

          If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

          B dave247D 3 Replies Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller
            last edited by

            Before looking at UTM, I'd be 100% sure that my AV infrastructure was 100% where I wanted it to be with zero issues, good central control and monitoring and so forth. UTM, as we had just discussed in another thread, is LAN based security breaking modern netowrk models and puts you at huge risk of people thinking that it excuses them from other good security practices. It can be the thing that makes people allow insecurity to creep into the network. So be very careful how you approach it.

            1 Reply Last reply Reply Quote 2
            • scottalanmillerS
              scottalanmiller
              last edited by

              The Brave New LANless Future

              Youtube Video

              1 Reply Last reply Reply Quote 1
              • B
                beta @scottalanmiller
                last edited by

                @scottalanmiller said in Thoughts on how I could improve my network security?:

                If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

                Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend 🙂

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @beta
                  last edited by

                  @beta said in Thoughts on how I could improve my network security?:

                  @scottalanmiller said in Thoughts on how I could improve my network security?:

                  If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.

                  Palo Alto is what I was thinking for sure. Glad to hear that's what you recommend 🙂

                  They are the best in the business. If you can afford them, though. Not cheap stuff.

                  1 Reply Last reply Reply Quote 0
                  • B
                    beta @scottalanmiller
                    last edited by

                    I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).

                    I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?

                    scottalanmillerS DashrenderD 3 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @beta
                      last edited by

                      @beta said in Thoughts on how I could improve my network security?:

                      I feel good about our AV as it offers central control and monitoring (cloud based so I even have our remote users constantly monitored and receiving the same policy updates and configurations).

                      That's basically the minimum bar to even say that you have AV 😉

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @beta
                        last edited by

                        @beta said in Thoughts on how I could improve my network security?:

                        I think my biggest concern is visibility and IDS/IPS. You'd recommend virtualizing those functions instead of using an appliance that also acts as the firewall? Any particular products you recommend?

                        Correct. Firewall for firewall, VMs for server functions. Still Palo Alto, of course, just their software products, not their appliances.

                        1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-firewall/vm-series

                          1 Reply Last reply Reply Quote 1
                          • DashrenderD
                            Dashrender @beta
                            last edited by

                            @beta said in Thoughts on how I could improve my network security?:

                            I think my biggest concern is visibility and IDS/IPS.

                            Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @dashrender said in Thoughts on how I could improve my network security?:

                              @beta said in Thoughts on how I could improve my network security?:

                              I think my biggest concern is visibility and IDS/IPS.

                              Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?

                              That's always the real question. I get that there is money to spend, use it or lose it, but still evaluating the real risk and concern is important. What's the itch that is attempting to be scratched?

                              B 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender
                                last edited by

                                Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.

                                scottalanmillerS Reid CooperR 2 Replies Last reply Reply Quote 2
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @dashrender said in Thoughts on how I could improve my network security?:

                                  Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.

                                  I'd agree there. Cisco ASA were pretty craptastic even when they were new and supported. Start with getting a solid foundation of good gear. That won't use up much of the budget, but it will fix key problems instead of ignoring big issues to get fun toys. Worry about the toys after the core issues are resolved.

                                  1 Reply Last reply Reply Quote 0
                                  • dafyreD
                                    dafyre
                                    last edited by

                                    I'd also suggest if you're looking at Intrusion stuff, go with an IPS that can actually block attacks.

                                    Alienvault makes a good SIEM.

                                    1 Reply Last reply Reply Quote 1
                                    • Reid CooperR
                                      Reid Cooper
                                      last edited by

                                      Use it or lose it money is always tough. I agree on new firewalls. But beyond that, it's really hard to say. What kinds of things are you allowed to spend money on?

                                      1 Reply Last reply Reply Quote 1
                                      • JaredBuschJ
                                        JaredBusch
                                        last edited by

                                        I would do something along this line:

                                        Get good basic firewalls with nice rules setup.

                                        Setup Strongarm.io or Cisco Umbrella, I would choose the former. This would handle security via DNS as well as content filtering by DNS is you so choose.

                                        Get a good log monitoring system like Arctic Wolf or AlienVault to alert you to anything abnormal.

                                        B 1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          I agree, good stuff.

                                          1 Reply Last reply Reply Quote 0
                                          • Reid CooperR
                                            Reid Cooper @Dashrender
                                            last edited by

                                            @dashrender said in Thoughts on how I could improve my network security?:

                                            Aren't the ASA's retired also? Sounds like you should buy a bunch of new Edge gear to update your network. I'd possibly spend the rest on a new server that you can use as an awesome virtual lab.

                                            I believe that they are.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 10 / 10
                                            • First post
                                              Last post