@jaredbusch said in Cloudflare SSL - Do You Use Or Not?:
You have to switch to DNS based auth for the LE certs if you are putting the traffic through CloudFlare or you need to disable cloudflare prior to the renew request.
At least that is how it was when LE went public. Haven't looked into CF since.
Thanks @JaredBusch I'll watch for this the next time I'm registering a new domain. So far, I've been migrating existing ones to CF so haven't run into this on renewal.
@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?
So I am going over a friend's setup today. He asked if I could make sure his setup was ok. Good for him to use Cloudflare for DNS but I noticed that he has setup SSL to "Full" even though he's using Let's Encrypt to secure his site. I've been turning that off for all of my domains on Cloudflare otherwise the cert that shows up in the browser is Cloudflare's and not his.
Am I missing something? I don't see a reason why I would use Cloudflare's SSL because I prefer that the visitor's browser indicates that the certificate is issued to my own domain.
@scottalanmiller said in Ubiquity Security appliance:
Related: My hotel windows look right into the Palo Alto Networks office building.
@scottalanmiller said in Ubiquity Security appliance:
Related: My hotel windows look right into the Palo Alto Networks office building.
Grab some swag! 
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
Sandstorm is not on the endpoint. Files are analyzed through a Sophos cloud service via the UTM before being allowed through to the user.
So you are using MitM.
To be clear, Sandstorm will NOT work for HTTPS content unless there's a cert installed on desktop so it can inspect traffic and retain encrypted connection. Much the same as DPI SSL won't work well and gateway AVs are also the same where if no certificate is installed on desktop, you can't maintain an encrypted connection with destination server. But it does work on non SSL traffic.
As web SSL usage continues to increase, this continue to reduce the efficacy of any gateway AV, DPI SSL or services like Sandstorm for SMBs who refuse to setup the desktop cert (me included). That means more and more reliance on desktop AV/AM solutions for scanning.
While those services are, in my eyes, are being affected in their usefulness by the increased SSL usage, they do offer other services that can be beneficial to SMBs.
I see lots of people coming up with reasons why NOT to use a UTM. What I've stated all along is, evaluate the client need and figure out if a UTM is going to work well for them or not.
In my case, only a handful of the 39 clients have UTMs. ALL of those enjoy benefits afforded them by the UTM other than AV/AM scanning.
@jaredbusch said in Ubiquity Security appliance:
They do use SSL almost exclusively because it protects their payload unless the endpoint has MitM breaking the SSL to inspect the traffic.
Source please.
@jaredbusch said in Ubiquity Security appliance:
Is Sandstorm an AV client on the endpoint? Then it is no different than any other endpoint AV. If it is on the router, then, it is useless unless you are doing MitM.
Sandstorm is not on the endpoint. Files are analyzed through a Sophos cloud service via the UTM before being allowed through to the user.
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
when the UTM manufacturer gathers malicious domain lists from a variety of sources
Again this is different than the sources that Strongarm.io uses how?
Just like different AV vendors perform differently in what they identify and block, the same is true for UTMs.
@jaredbusch said in Ubiquity Security appliance:
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@dashrender said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?
We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?
There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.
No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.
No, it didn't come from their email, it was a link to a cloud file share on some random domain.
Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.
@NashBrydges unless you are breaking your SSL yourself by letting your UTM perform a MitM attack on all your traffic.
That never happens and is a totally bad setup.
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@dashrender said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?
We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?
There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.
No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.
No, it didn't come from their email, it was a link to a cloud file share on some random domain.
Then also would not be blocked as it would have been inside an SSL tunnel. Unless it was a really incompetent crypto team.
It was a malware laden file, and the user neglected to ensure the link was a good valid link. You're assuming it would have been served over SSL. I made no such assumption. Not sure that malware distributors always ensure their files are hosted from SSL protected shares.
Sophos also has a feature called Sandstrom which explodes documents before sending them to the user. A UTM AV may have scanned and blocked the file, it may not. Like I said, we'll never know for sure since the client didn't have the UTM in place.
@jaredbusch said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@dashrender said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?
We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?
There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.
No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
But that word document came through their email which nothing would stop because that should be coming down an encrypted pipe between the email server and the desktop client.
No, it didn't come from their email, it was a link to a cloud file share on some random domain.
@ccwtech said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
This is my fear as well. If something that (for a few hundred dollars extra) would prevent this event, it would be well worth it.
I always present new clients with options. I'll make a recommendation about which might be best for their business and processes. I'll lay out the pros and cons of each and together we come to a decision.
Let me tell you that the client that had to recover from their crypto infection asked me to set them up with a UTM. Even after walking them through the fact that this won't guarantee that they won't have this happen again, they still opted for the UTM. Combined with changes to how they manage inbound documents and Sophos' Sandstorm feature, the business owner tells me she sleeps better at night.
@brandon220 said in Ubiquity Security appliance:
For normal firewalls I have the ER-Lite models deployed everywhere including my home. For places that needed the UTM functions I went with Sophos. I definitely have more ERs deployed. I have one client that is a large construction company. They tried everything including Cisco ASA (many different models) Sonicwall, Meraki, and some I don't remember. They constantly were having issues especially with VPN. I don't ever recommend those anymore after seeing the negative effects first-hand.
Out of 38 clients where I installed a router or UTM, only 5 have UTMs and all are Sophos.
@scottalanmiller said in Ubiquity Security appliance:
So it’s only beneficial if the pros outweigh the cons.
Totally agree here!
@dashrender said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
You mention that the webfiltering alone didn't stop the infection you saw stopped by the UTM in your example - so what portion of the UTM stopped the infection? AV scanning?
We all know that AV scanning isn't perfect - no one company is 100% effective there, so this time your UTM stopped it, and maybe next time it won't - we don't know if the local AV would have stopped it or not. For 100's of times the cost of a non UTM firewall, I really wonder if it's worth it?
There are 3 specific cases, 2 of which were domains blocked as known or suspected malicious, and 1, in my personal home, where I have a click-happy wife and son and the AV blocked a file download.
No one company is 100%, completely agree, but that argument does go both ways in support for and against the use of UTMs.
As for cost, a client with 23 staff was running an EdgeRouter and at the time, I didn't know about Strongarm and Quad9 didn't exist. One of their staff opened a Word document without thinking and enabled macros. The resulting crypto malware spread to their file server. The cost of my time to fix this was twice what would have been a properly sized UTM with 3 yrs licensing. Again, not saying a UTM would have blocked the domain or file, but 100% will not know because there wasn't one in place.
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
Which could easily be done with things like Strongarm.io or PiHole. Some value in it sure, but does that value outweigh the massive cost of the appliance and support?
There are 2 problems with this statement:
There's an assumption that Strongarm (which is no longer and was only known to me for a few months) would have known about this site and blocked it. They do block malicious domains but not files. Also, Pi-hole is advertised as an ad blocker. They do not purport to be a malicious domain blocker although if the domain exists in the list of blocked domains, it would also block it. Other service like OpenDNS Umbrella and Quad9 perform similar malicious site blocks but only for known sites on their own lists or shared lists that they use. Again, none of those are 100%, and neither would a UTM, however when the UTM manufacturer gathers malicious domain lists from a variety of sources, they can block domains not known to others.
The other is "massive cost". When compared to what a EdgeRouter might cost, yeah quite the difference. But considering what my services cost for supporting clients, and the cost for recovering from some malware or crypto infection could outweigh the cost of the device and services.
Something else I'l say is that, I'm not an evangelist for UTMs, but I definitely think there are cases where they're a great fit!
It also isn't just for the filtering and AV services they provide, but many will also offer built-in VPN capabilities or HTML5 based remote desktop access, all of which are at times desirable functions (clients with no on-site servers can still have remote desktop or VPN access). Before someone pipes-up and says that EdgeRouters have built-in VPN, that's completely true, but in every case, you evaluate the overall need for the business to determine what device is needed.
@coliver said in Ubiquity Security appliance:
@nashbrydges said in Ubiquity Security appliance:
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?
Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.
@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.
I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.
For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.
@jaredbusch said in Nginx Active-Passive HA:
@NashBrydges side question. If you setup the .well-known to work correctly, why do you then need the HA? because nginx will never be down except for the momentary reload after the certs are updated.
That certainly addresses the biggest concern about a long downtime during the renewall process for a high number of certs and probably addresses most concerns with this client. He's already running Veeam replication to a second box so his RTO and RPO are relatively short and within his business tolerance.
Having said that, it's a great learning opportunity for me to set this up in my lab, if for no other reason than to try it and see how it works.
Assuming this is going to work as planned, back to the original question...setting up Nginx HA and certs management. Which approach is best/recommended?
--duplicate option (here)?@dafyre Awesome! Thanks for clarifying that. I don't have any expiring certs for the next 40 days so I'll keep a look out to see how this works.