Network Security - UTM
- 
 So from another thread Scott said:- UTMs are generally a bad idea. At least that is @JaredBusch and my opinion. So what is the best idea to secure a network/MPLS ?? As this is something i'm going to be starting to look at in the next 6months, 
- 
 Define what "securing" it means to you? And do you mean at the outer edge (where your intranet meets the Internet) or on the inside MPLS (where site one meets site two.) 
- 
 I'll break down what I want/need. This is the current set-up:- 
 47 Sites connected to a MPLS, internet breaks out inside of the MPLS. This is the only way out for most sites, some sites now have two connections the MPLS (Citrix) and a FTTC connection for internet. At the moment the FTTC only has a SOHO grade draytek router.
 At the moment we have no control or visibility on the WAN or LAN at any site so they could be doing anything i.e. downloading P2P, on facebook/youtube all day etc.What I see we need to do:- 
 Get all 47 sites connected up with the Fastest connection possible including FTTC so they one have one connection, then have control on Web/Application filtering and monitoring on WAN activities. It has been suggested to me to have a Sophos UTM at HO and make that the "breakout" on the 100MB Leased line then have RED devices everywhere.
- 
 @hobbit666 said: It has been suggested to me to have a Sophos UTM at HO and make that the "breakout" on the 100MB Leased line then have RED devices everywhere. Sophos are decent and would be my second recommendation after Palo Alto, but what value is the Sophos adding? And more importantly, if you have MPLS, what are the Red devices doing? 
- 
 @scottalanmiller said: @hobbit666 said: It has been suggested to me to have a Sophos UTM at HO and make that the "breakout" on the 100MB Leased line then have RED devices everywhere. Sophos are decent and would be my second recommendation after Palo Alto, but what value is the Sophos adding? And more importantly, if you have MPLS, what are the Red devices doing? I think the idea coming from the one supplier was to create a "MPLS" using Sophos. The other option we have is find a MPLS provider that CAN give us bandwidth monitoring and web filtering lol 
- 
 @hobbit666 said: I think the idea coming from the one supplier was to create a "MPLS" using Sophos. So the problems there... - You are paying for MPLS but looking to ignore it and buy something that replicates it "again." That's not good spending.
- You are just talking about running a hub and spoke VPN instead of using the MPLS.
- Someone let the enemy in the gates and you have someone attempting to screw you in a position of giving advice that has none of your company's interest in mind. You've got a fundamental security issue that no technology can fix.
 
- 
 @hobbit666 said: The other option we have is find a MPLS provider that CAN give us bandwidth monitoring and web filtering lol That's not the job of an MPLS provider. That's like asking your road construction crew for a good radio in your car. They make the roads, YOU need to buy the right car. You don't replace a good road crew because you don't like their lack of car reselling options. Why do you need bandwidth monitoring and web filtering? What is the goal with them? Why not just do those things at the gateway? Why do them between the sites? 
- 
 @scottalanmiller said: Why do you need bandwidth monitoring and web filtering? What is the goal with them? Why not just do those things at the gateway? Why do them between the sites? Stop people from using facebook/youtube all day and block sites like Adult material. Also to make sure people aren't using things lie Bit Torrent etc. 
 Because our gateway is the MPLS and they can't/won't. Hence the reason for looking.And yes the Sophos solution would be Hub and spoke  
- 
 @scottalanmiller said: - You are paying for MPLS but looking to ignore it and buy something that replicates it "again." That's not good spending.
 We are but considering replacing the current provider so that would be gone 
- 
 Because our gateway is the MPLS and they can't/won't. Hence the reason for looking. MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway. 
- 
 @hobbit666 said: We are but considering replacing the current provider so that would be gone That's fine, if you have no need for MPLS, but MPLS is what enables what you want. Doing the same thing with VPNs would be very obnoxious. You'd be far better off with Facebook and YouTube on the network than doing that. It would be cutting off your nose to spite your face. I'm all for moving away from expensive MPLS circuits, I rarely find that they make sense. But everything you are talking about designing around is based on MPLS, not VPN, utilization. 
- 
 @hobbit666 said: And yes the Sophos solution would be Hub and spoke  Which is slow and cumbersome. What services are delivered from the hub? 
- 
 @scottalanmiller said: Because our gateway is the MPLS and they can't/won't. Hence the reason for looking. MPLS is not a gateway, it is a link. The gateway is where the MPLS connects to your network. The issue here is asking for the wrong product from the wrong people. The gateway is yours to control. You control the access to the MPLS. Put whatever security in that you need, don't look to duplicate the MPLS connectivity in a poor manner because the MPLS provider is not your gateway. See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT) 
- 
 @hobbit666 said: Stop people from using facebook/youtube all day and block sites like Adult material. Also to make sure people aren't using things lie Bit Torrent etc. Just put in a web filter then, don't look at UTM. UTM is the wrong technology. If you really need this stuff, you can handle it the "easy" way which is stopping people from accidentally doing things that you don't want by just redirecting DNS. If this is a security matter then really you need to ask HR why they are not making a policy against it but asking IT to do something and/or not enforcing the policy and making a mockery of their jobs. If you must block content, then you use a web filter like Websense or Squid. 
- 
 @hobbit666 said: See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT) Right, they are the ISP, not the gateway. Your gateway is where the ISP connects to your business. Think of it like the road, the GATE is at the end of your driveway. You don't ask the local village to maintain your gate, you install a gate and maintain it yourself. It's the point where your personal road (driveway) meets the public one. 
- 
 @scottalanmiller said: @hobbit666 said: And yes the Sophos solution would be Hub and spoke  Which is slow and cumbersome. What services are delivered from the hub? It's where out Dynamics GP sits and all the sites access it via Citrix XenApp. That's all the MPLS is for mainly, then as I mentioned we get Internet access from it too. 
- 
 @scottalanmiller said: @hobbit666 said: See this confuses me as they are providing internet access to all our sites including HeadOffice. it's only at 6 sites that the internet is through FTTC (BT) Right, they are the ISP, not the gateway. Your gateway is where the ISP connects to your business. Think of it like the road, the GATE is at the end of your driveway. You don't ask the local village to maintain your gate, you install a gate and maintain it yourself. It's the point where your personal road (driveway) meets the public one. But where would our gate sit? In there datacentre (as we have asked and we can't)? As no "internet" traffic passes through us at HO, so each store site when they go on internet it does through ISP/MPLS what ever you label it and out, we have no control. 
- 
 @hobbit666 said: It's where out Dynamics GP sits and all the sites access it via Citrix XenApp. That's all the MPLS is for mainly, then as I mentioned we get Internet access from it too. I'm confused. The reason for having XenApp would be to not have MPLS (or VPN.) What function do the MPLS or VPN (Sophos) Red play, then, if you already have XenApp? Or, to put it another way, it sounds like you've already designed a "LANless" infrastructure but are spending what is likely a fortune creating complexity of extending the LAN to many sites without benefit. The MPLS or the VPN would just be "in the way" making things work more poorly while costing more, right? What benefit to they potentially add? 
- 
 @hobbit666 said: But where would our gate sit? In there datacentre (as we have asked and we can't)? Not "would it", but "does it." You must have a router connecting to your MPLS, right? You don't let the MPLS hand you Ethernet and you just plug it into your core switch and have the world open to your network, right? What do you mean you can't have a gateway router in your datacenter? Even your home has one of these. 
- 
 @hobbit666 said: As no "internet" traffic passes through us at HO, so each store site when they go on internet it does through ISP/MPLS what ever you label it and out, we have no control. Then each site has its own gateway. You always have control, that cannot be taken away. The ISP has zero say in that (they can't, it doesn't make sense from a networking perspective.) It is physically possible for an ISP to provide gateway services for you, but never recommended. But they cannot ever take that capability away from you. 


