USG Pro 4 and our Company Security
-
@scottalanmiller said in USG Pro 4 and our Company Security:
If you don't mind us digging in... what "services" do they provide that couldn't be taken over by someone else, more or less, overnight?
They house the server that holds our Financial Software. We already have plans to move to a new Company for that, within the year. We are also working to get a consultant to help us migrate our files to Sharepoint, AD fully to Azure, and find a solution for our branch employees (Thin clients, Desktop, Remote Desktop in the Cloud). We still have some work to do to get a good plan. We have already started, just because the price for the DC is way too much for us. Now we have another reason.
-
So a general rule I will throw out there... colocation is not something you want to be local. Same as cloud. "Where" it is makes no difference. It's not that you avoid people who are local, you just never consider that in your selection process. Local has no benefits. But choosing local because they are local flags you as not valuing good, honest service and changes how the vendor views you.
The only thing you care about with a colocation provider that can be affected by locality is latency, and that you just measure. Good colocation is all in major cities that specialize in DC services... NY/NJ, Chicago, DFW, San Antonio, Los Angeles, NOVA, that's about it. Anything outside of those cities and you are probably getting a little local shop (unless you aren't in the USA of course.)
From where you are, LA is your logical choice. San Fran has a few, but is actually surprisingly bad for infrastructure so rarely do you get data center services in the Bay area.
https://smbitjournal.com/2015/08/avoiding-local-service-providers/
-
@gtech said in USG Pro 4 and our Company Security:
Are they not just using Azure?
They have a colocation business that they don't advertise as heavily.
-
@jevans said in USG Pro 4 and our Company Security:
They house the server that holds our Financial Software. We already have plans to move to a new Company for that, within the year. We are also working to get a consultant to help us migrate our files to Sharepoint, AD fully to Azure, and find a solution for our branch employees (Thin clients, Desktop, Remote Desktop in the Cloud). We still have some work to do to get a good plan. We have already started, just because the price for the DC is way too much for us. Now we have another reason.
So that's a very high level view, so take my statement with a grain of proverbial salt, but this sounds like the kind of stuff that could be moved in a couple of weeks and save a fortune right away. Not that you WANT to move that aggressively, but if the cost is too high, getting moved off of it faster is better. All of those things are super standard and just a matter of a normal migration.
-
This is from the Rep:
"UTM (Unified Threat Management) This is where you have multiple layers of security at the gateway to protect against threats. These typically come with a subscription for regular update usually daily or even multiple times a day for their threat updates. Also DPI SSL inspection. "
This is why he was saying the USG will not be a viable option for us.
-
@jevans said in USG Pro 4 and our Company Security:
We already have plans to move to a new Company for that, within the year. We are also working to get a consultant to help us migrate our files to Sharepoint, AD fully to Azure, and find a solution for our branch employees (Thin clients, Desktop, Remote Desktop in the Cloud).
So in a situation like this, where you've now identified that a bad actor has been sewing seeds of misinformation, it's a good time to go back and look at other decisions and see if their influence can be seen there as well. And I'm guessing that the move to Azure just happened to be recommended by the same guy trying to sell UTMs. The vendor in question is an Azure reseller and by and large, Azure is the one big vendor you'd never want on a short list - high cost, low quality - for cloud. Azure depends on aggressive salespeople and big marketing to get shops that don't evaluate the competition to overpay for low quality services.
MS services for O365 for hosted Sharepoint, email, and such is great. Azure doesn't do AD (don't confuse Azure AD with AD on Azure, two totally different things conceptually.) You can do AD on Azure, but it's not Azure providing it.
I'd immediately step back and question why Azure was even mentioned, let alone selected. Maybe there is some technical info that we don't have. But what technical info we do have, and the info about who has been trying to sell things there, tells us that using Azure is a very bad idea.
Cloud is great, and may or may not make sense for you. But based off of other information that we have, my guess is that a dishonest datacenter who is trying to sell products and Azure services has been screwing you on datacenter services and using that bad treatment to justify talking you into cloud when it wouldn't make sense. The kinds of workloads that you are describing and absolutely terrible for cloud, and ideal for colocation. If you saw quality colo, I bet you'd see that cloud has no way to compete for this type of setup.
-
@jevans said in USG Pro 4 and our Company Security:
This is from the Rep:
"UTM (Unified Threat Management) This is where you have multiple layers of security at the gateway to protect against threats. These typically come with a subscription for regular update usually daily or even multiple times a day for their threat updates. Also DPI SSL inspection. "
This is why he was saying the USG will not be a viable option for us.
Seriously, never speak to him again. Literally, never. The only words you should speak to him are "If you ever call again, we will take legal action."
The UTM can't do what he's describing here, where he's trying to get you to put it. He's continuing the scam.
Anyone who says "security in layers" is pulling a scam. All security is in layers, no legit person talks about it that way, though. That's a sales tactic terminology. It's used to make you feel something obvious is special.
UTMs are the worst way to deliver those kinds of services, if they are needed. DPI SSL inspection is nice and all, but comes at big cost and big risk and has essentially zero value. You already have DPI SSL inspection from your AV products. It's an essentially pointless service, that would be disabled in this case, that sounds plausible but is almost entirely a scam in general (but 100% a scam in this specific case.)
But we've established that the USG is in fact a UTM. That it doesn't require a subscription to empty your wallet doesn't change that, but clearly does change his opinion over whether or not he can use it to scam you, so he doesn't like it.
-
So I would happily get onto the phone with this rep and your CEO if you'd like. CEO can be on mute. But I will only do a free "expose the scammer" call if someone with the authority to consider legal action is listening. But if the CEO wants to hear him get exposed lying in real time, I'm happy to make that call.
-
It's also worth noting that the big features that people use to push UTMs, DPI SSL inspection, are also their biggest risk and why many places will never allow them. What DPI SSL is is the IT department implementing a "man in the middle" attack on encrypted traffic. In doing so, end users cannot trust the traffic in the company, and the UTM itself becomes a massive point of danger that normally does not exist. DPI SSL is "neat" and "terrible" at the same time. Neat in that you can break into user's secure sessions, terrible in that they compromise HTTPS security and provide a mechanism for breaching data at that point.
For example, I would never allow DPI SSL in my own company. I think it is a terrible idea. I can see why some people, especially those that feel that they need to spy on their end users, value it. But it's dangerous, and if you ever allow a third party to manage it it is even more dangerous still. Imagine if this datacenter offered to manage a UTM for you, they could be harvesting your banking data with that! DPI SSL is a very, very dangerous sword to wield.
It's not that DPI SSL is expensive, or hard, or "unneeded." It's that we don't see it as acceptable to implement in that way and won't allow it. For him to act like you can't be secure without doing something we see as that bad, is a pretty big statement for him to make.
-
Now, to be fair, all of this stuff is pretty minor. I don't want to sound ridiculous about it. Every slimy salesman pushes UTM, every single one. Just like they all used to push SAN. It's the standard sales tactic. Getting a UTM won't destroy your company, it just funnels money out of your wallet into his. That's really all.
Azure over a better cloud isn't doom and gloom. You'll pay 20-80% more, your have 50% more outages, but it's all minor. You'll know the cost up front, and even 50% more outage is pretty trivial. Sounds bad, but it isn't.
Will this guy actually steal your banking data? Not likely. What he might steal is stuff you'll probably not realize and it just won't matter to you very much.
The reason that we are all up in arms isn't because this will kill your company or cause some huge disaster. It's that we are all offended that a clearly dishonest con man is pretending to be your adviser and discrediting our profession. He's crossed a clear line and is someone you can never trust and should never engage again. That's absolutely clear. But he's not going to stab you and burn down your house, he's just a crummy human who will use FUD and confusion to run a con on you, nothing more, nothing less.
-
@jevans Sounds like he is reading a sales brochure. None of what he said gives you any reason to stay with him. Just my opinion.
-
@scottalanmiller Absolutely great explanation!
-
@scottalanmiller is that really better than the stabby arsonist? At least with those you can tell they will stab you and burn your house down, with lying sales dicks (read: all of them), not as easy to spot, especially when you aren't aware of where they get their income. Wolf in sheep's clothing, and all that.
-
@RojoLoco said in USG Pro 4 and our Company Security:
At least with those you can tell they will stab you and burn your house down, with lying sales dicks (read: all of them), not as easy to spot,
I'm "lucky", for me, the salesman is easier to spot. It's my super power.
-
Thank you Scott, and everyone. This was exactly what I needed. I felt something was not right and I was starting to question myself. Now I have what I need to formulate a plan and present it to our CEO so that we can stay the course with the initial plan using the USGs.
One other question I had about the USG. I see the specs for the USG Pro 4 should be able to handle all of our branches traffic but will it slow things down? Should I think about placing an XG at the DC to handle all 60-70 users or will the Pro 4 handle it just fine?
-
@jevans said in USG Pro 4 and our Company Security:
One other question I had about the USG. I see the specs for the USG Pro 4 should be able to handle all of our branches traffic but will it slow things down? Should I think about placing an XG at the DC to handle all 60-70 users or will the Pro 4 handle it just fine?
I don't think that you provided enough data for us to know. The Pro 4 is decently fast, but might be around its limit. Users is a silly guide that firewall makers tend to use, but it doesn't mean anything, really. What is the network bandwidth that you have at each site (DC and branches?) That, more than anything, determines what the units will have to handle.
-
@jevans said in USG Pro 4 and our Company Security:
Thank you Scott, and everyone. This was exactly what I needed. I felt something was not right and I was starting to question myself. Now I have what I need to formulate a plan and present it to our CEO so that we can stay the course with the initial plan using the USGs.
Glad we could help. We're always happy to make life difficult for scamy sales... things.
One other question I had about the USG. I see the specs for the USG Pro 4 should be able to handle all of our branches traffic but will it slow things down? Should I think about placing an XG at the DC to handle all 60-70 users or will the Pro 4 handle it just fine?
We'd need to know your ISP bandwidth to be able to answer this.
-
The USG 4 should be able to push around 120Mb/s over IPSec. If you need more than that, then the bigger model is needed.
-
@scottalanmiller said in USG Pro 4 and our Company Security:
So I would happily get onto the phone with this rep and your CEO if you'd like. CEO can be on mute. But I will only do a free "expose the scammer" call if someone with the authority to consider legal action is listening. But if the CEO wants to hear him get exposed lying in real time, I'm happy to make that call.
Time for a party call!!
-
@wrx7m said in USG Pro 4 and our Company Security:
@scottalanmiller said in USG Pro 4 and our Company Security:
So I would happily get onto the phone with this rep and your CEO if you'd like. CEO can be on mute. But I will only do a free "expose the scammer" call if someone with the authority to consider legal action is listening. But if the CEO wants to hear him get exposed lying in real time, I'm happy to make that call.
Time for a party call!!
Yup, it'll be quite the party.