Thoughts on how I could improve my network security?
-
@dave247 said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too.
I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.
If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.
What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?
Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them.
Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach.
You wouldn't treat your database or even your website this way, why your security system?
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too.
I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.
If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.
What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?
Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them.
Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach.
You wouldn't treat your database or even your website this way, why your security system?
By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?
I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that? Also, for what it's worth, the SonicWall's GMS Analyzer is on a separate virtual machine.
-
@dave247 said in Thoughts on how I could improve my network security?:
By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?
I feel like you've missed everything I've ever said.
First of all, UTM never means Firewall. Those are two different things.
Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.
Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.
Where did you get the impression that I ever said anything of the sort?
-
@dave247 said in Thoughts on how I could improve my network security?:
I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that?
Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM?
Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network?
The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it?
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?
I feel like you've missed everything I've ever said.
First of all, UTM never means Firewall. Those are two different things.
Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.
Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.
Where did you get the impression that I ever said anything of the sort?
I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.
I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing.
-
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that?
Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM?
Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network?
The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it?
This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system.
-
@dave247 said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?
I feel like you've missed everything I've ever said.
First of all, UTM never means Firewall. Those are two different things.
Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.
Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.
Where did you get the impression that I ever said anything of the sort?
I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.
I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing.
Not quite. A router with ACLs is a firewall. A firewall with routing is a router. In theory, but only in theory, you can make a router without ACLs, but no one has done so in decades. In theory you can make a non-routing firewall (it's called a bridging firewall) but in reality, again, none has been made that doesn't have the router function.
Botton line is that router and firewall are literally the same thing for all possible use cases. They two things are just functions of routers. All routers are firewalls, all firewalls are routers. The two cannot, for all intents and purposes, be separated.
This is very important, because firewall means router, but UTM doesn't mean firewall. So understanding this is key to understanding what I said. If you associate the wrong terms together, it will sound like I said what it seems like you reacted to.
-
@dave247 said in Thoughts on how I could improve my network security?:
This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system.
Loads and loads of people swear by Microsoft's SBS server, too. It "does a good job" until you realize that it generally costs too much and introduces risk. Remember, that your current UTM "does a good job for you" cannot be used as an indicator of if it is a good idea. That's not how risk assessment ever can work. That's the "look mom, no seatbelt" problem.
The problem with security and risk is that things always seem great until something goes wrong. And often when things go wrong, you don't actually know (the nature of security - a good breach you will never know about.) It's just like Russian roulette, five out of six players thing it is a perfectly safe game.
Can MS SBS server or a UTM do the job? Yes. Are they a good design or able to do the job as well as a better system design or do they follow industry best practices? No, of course not.
None of this is vague or my proping my "opinion", this has been an industry standard practice for decades taught by everyone in the administration space. The idea of separating services for reliability and control has been a core tenant of basic administration education since low before I was in IT, which is a very long time.
-
@dave247 said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?
I feel like you've missed everything I've ever said.
First of all, UTM never means Firewall. Those are two different things.
Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.
Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.
Where did you get the impression that I ever said anything of the sort?
I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.
If you didn't, they why did you respond to something so totally backwards from what I had said? What is the above responding to?
-
But, like all things of this nature, I've presented my side as to "why" keeping firewalls and the things considered "UTM functions" in separate places.
Now, some feel the opposite. For those that want to say that UTMs (putting lots of applications together onto the router/firewall box) is better than the normal industry standard practice of keeping applications isolated, please present your reasons for wanting that. I've presented solid reasons, that you might not agree with, for why I'd follow industry best practice here. I don't remember anyone saying why they'd do the opposite, only questioning why I'd not do it, which isn't the same as presenting a reason.
So I'm asking... what's the reasons for going against the grain in this one case? There are exceptions to most every rule, but I've not seen anyone anywhere ever present an argument for UTMs, only that they'd use them despite the reasons against them.
-
Also, it's important to remember that just because something isn't the "best way to do it" doesn't imply that the other option doesn't work, just that it isn't as good. Just like how RAID 6 almost always works, even in cases where RAID 10 would have been better. A better design doesn't imply, at all, that non-best designs won't work, only that they don't work as well.
-
Reason to use a UTM:
single interface for all things covered
a single thing to update
single thing to secure (appliance, be it physical or virtual)
functions should integrate together more easily
single vendor to get support fromScott asked for reasons one might provide, so for devil's advocate I provided the above list. Now Scott will tell us why we don't want these things, or why they aren't good.
-
@dashrender said in Thoughts on how I could improve my network security?:
Reason to use a UTM:
a single thing to update
This is not inherent with being a UTM. It might be offered that way, but there is no guarantee. Each application needs updates individually, they are different things. Normally, this would be seen as a negative - a lack of update controls. You'd never want any other enterprise app updated "all as one thing", why this one? Why do you see this as a benefit when normally it would be considered a show stopper if this was on a non-security server, for security and stability reasons?
Also, pretty sure almost no UTM offers this.
-
@dashrender said in Thoughts on how I could improve my network security?:
single thing to secure (appliance, be it physical or virtual)
Again, not a positive. There are still all those pieces to secure, just less ability to protect them from each other. Once again, think of this in terms of any other enterprise app, would you call it "less to secure" when you have SBS vs. dedicated VMs for applications?
-
@dashrender said in Thoughts on how I could improve my network security?:
functions should integrate together more easily
This is marketing and doesn't mean anything here. "Should", but do they? There is no integration issue with separate parts, what does this mean to you?
-
@dashrender said in Thoughts on how I could improve my network security?:
single vendor to get support from
This, again, isn't true. UTMs can be multi-vendor, non-UTMs can be single vendor.
I feel that, and have always felt that, UTMs are sold, conceptually, via marketing channels and depend on a misunderstanding or false assumptions about their behaviour and value to drive their sales.
What is solid, is that lots of separate functions are running on a single box and interact with each other in potentially unstable and insecure ways. Why are we okay with lowering our standards in this one specific case? What about UTMs makes us happen to treat them as second class citizens on the network?
-
@dashrender said in Thoughts on how I could improve my network security?:
single interface for all things covered
Likely, but again, no guarantee. Some UTMs lack a singular interface option.
-
All of the reasons there are the same things with SBS. Look at UTMs in the broader context. What makes people believe them to be unique and outside of otherwise standard best practices or approaches?
-
Remember that even the best UTM vendors also offer their products in non-UTM forms. You can deploy Palo Alto or others without being a UTM.
Without being a UTM, you also have the freedom to pick and choose components and vendors as needed for cost, best of breed, unique needs, etc.
-
Some folks prefer the simplicity of having one throat to choke -- especially in the SMB world. Having run both ends of the spectrum -- that is managing a network with a UTM, vs a separate Firewall and UTM appliance, I can safely say that I prefer to keep them separated.
I saw better Network throughput and performance when keeping the various UTM functions separated out. My worst experience was with Fortinet as a UTM. Enabling IDS / IPS on this device would kill our internet almost immediately.
My best experience with a Non-UTM setup was Smoothwall. We had a Firewall, an IDS, and a Reporting box (three separate devices). Even with the IDS enabled, our internet speeds didn't take a hit.
