Pfsense instead SonicWall ?
-
Plus Scott is a big believer in the LANless approach. Don't trust the network you're own.. create your own security through other means, like endpoint to server SSL, etc.
-
@wrx7m said:
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.
-
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
-
@scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.
-
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
-
@scottalanmiller said:
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
False positives happen even on end points - so....
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
I agree!
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
Oh.. and my false positives was once during my 3 year contract...
-
@wrx7m said:
@scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.
One of the reasons there for proxy/cache specifically is that you need it to be insanely fast and cache a ton of stuff - so you likely want a massive RAID 0 array with SSD cacheing in front of it with loads of memory and a decent CPU (quad core Xeon for example) to handle it. You can't get 1% of that from any firewall hardware.
And you don't want the proxy getting in the way of non-proxy traffic. Your VoIP, for example, needs to go straight through the firewall not get processed or blocked by the proxy. If the proxy is inside the firewall device, the CPU will be tied up doing that instead of passing RTP packets.
-
@scottalanmiller said:
@wrx7m said:
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively? Sure there is management but short of standing over everyone's shoulder, I don't see a better way to be able to produce the stats.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
False positives happen even on end points - so....
But not so often that I've seen one in a decade. Definitely happen, but are super rare. And much easier to identify because it is localised to where it happens. Not somewhere distant.
-
@wrx7m said:
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?
I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.
I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.
-
@wrx7m said:
Sure there is management but short of standing over everyone's shoulder, I don't see a better way to be able to produce the stats.
Good, make it hard to collect pointless metrics.
-
@scottalanmiller said:
@wrx7m said:
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?
I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.
I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.
IT services don't exist in a vacuum and most management would disagree. Management wants info like this occasionally. Sometimes they want even more, which requires specialized software installed on the local system. I really hate doing that.
-
@wrx7m said:
IT services don't exist in a vacuum and most management would disagree.
Not good, healthy management. I normally see this stuff being pushed from IT in opposition to management as IT people have a tendency to want to "control" things, it's part of the culture. Good management would know instantly that this is horrible info and goes against even the most entry level management training. This calls only into the "really clueless untrained or megalomaniac" management category outside of specific issues (some places have to for regulations.)
If management wants this info, IT should be training them as to how useless this data is and how there is no possible useful outcome to collecting it.
-
@scottalanmiller said:
@wrx7m said:
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?
I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.
I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.
We've had on average one person a year fired because of their browsing habits. One person was even watching Netflix 8 hours a day, surprisingly that person still works here.
Employees are paid to do their jobs, not to browse the web. If the management has a need to have that info, then we should provide it.
-
@wrx7m said:
Management wants info like this occasionally.
Maybe, but it should NEVER be an assumption. If management demands this AND won't accept training or standard advice or just math... then yes, IT should do what it is asked to do. But we should never drive this as it is bad for every aspect of the business when not required.
-
@marcinozga said:
We've had on average one person a year fired because of their browsing habits. One person was even watching Netflix 8 hours a day, surprisingly that person still works here.
That's horrible, why would you fire perfectly good employees that are being productive because of perceived browsing habits? Those managers should be fired, that's as clueless as you can get. If those people are doing a good job and earning their keep, firing them because of a metric that has nothing to do with their ability to do their job or their productivity would be tantamount to intentional sabotage - and should trigger an investigation over discrimination.
-
@marcinozga said:
If the management has a need to have that info, then we should provide it.
Management doesn't have a need for that info, that's the key. Like I said, anyone with management training even as poor as colleges normally are, covers how you would never do this as very entry level training.
-
@scottalanmiller said:
@wrx7m said:
IT services don't exist in a vacuum and most management would disagree.
Not good, healthy management. I normally see this stuff being pushed from IT in opposition to management as IT people have a tendency to want to "control" things, it's part of the culture. Good management would know instantly that this is horrible info and goes against even the most entry level management training. This calls only into the "really clueless untrained or megalomaniac" management category outside of specific issues (some places have to for regulations.)
If management wants this info, IT should be training them as to how useless this data is and how there is no possible useful outcome to collecting it.
Same boat. I don't need to control everything. I would just want people to do what I ask. I understand that some people work differently than others and I prefer that people use their time wisely. The product of the employee is what should be quantified. Are they getting their work done? Do they ask for more or to help others instead of just sitting there?