How to Layer Your Security Needs
-
@jmoore said in How to Layer Your Security Needs:
@dashrender said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dashrender said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
AV....
There are several decent AV vendors, and tons of terrible ones. In most cases, I would just stick with Windows Defender. If you are going to get into the Windows ecosystem and don't trust Windows security, you need to rethink what you are doing.
Understandably getting a central console for AV can be important, so products like Webroot can be great. They are one of the few AV companies that haven't done something to make me really question their integrity or quality.
that makes a lot of sense. I read in lots of places when people ask for AV recommendations it is always somethign different and Defender is barely mentioned. Why is that then?
Because no one makes money pushing Defender.
Plus people are MS haters.
You are right on that. I mean I don't like a lot of things either but if your business is built around Microsoft products then it really does make sense to use Defender for most people
Yes, embrace or move on. This weird half assed approach is the worst. It's like they tend to start off as fan bois, then suddenly become haters of their own platform choices.
I think that people are stuck in the past - Security Essentials was pretty bad.. but MS was just getting it's feet wet. By now it's on par in my opinion. Others think - you get what you pay for - i.e. Defender is free, therefore it must be shit.. so they must pay to get something worthwhile.
and others want/demand the central console, which you can't get without Intune, so you'd be spending either way.
doesn't group policy do everything you need as far as updating and such? do most people really need a central console?
It would, yes. Just doesn't provide central monitoring.
-
@jmoore said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
IDS/IPS go on the network, not on an OS.
i must be confused or remembering wrong then, how does IDS/IPS work then?
IDS watches the network traffic, across the entire network.
-
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
-
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
-
We are expecting a full Wazzah how to now.
-
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
-
@reid-cooper said in How to Layer Your Security Needs:
We are expecting a full Wazzah how to now.
This is going on a tiny little network, so the how to is "Download the OVA and install that to your hypervisor". Done.
-
@travisdh1 said in How to Layer Your Security Needs:
@reid-cooper said in How to Layer Your Security Needs:
We are expecting a full Wazzah how to now.
This is going on a tiny little network, so the how to is "Download the OVA and install that to your hypervisor". Done.
Ah, that's pretty simple then.
-
@reid-cooper said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@reid-cooper said in How to Layer Your Security Needs:
We are expecting a full Wazzah how to now.
This is going on a tiny little network, so the how to is "Download the OVA and install that to your hypervisor". Done.
Ah, that's pretty simple then.
Yeah, if you have a mid-size network or larger, having to install all the different components is a much bigger chore. I doubt I'll be running into that unless I get hired by some big corporation.
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
Oh I see now, thanks
-
@jmoore said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
Oh I see now, thanks
They should be "just another application" and treated like a normal enterprise app. UTM treats those apps as special and outside of standard IT good practices, which makes UTMs kind of bad fundamentally.
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
-
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
In line is acceptable, just not "running on the same processor."
-
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
-
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
lol. Should have known.
-
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
lol. Should have known.
There are others, but with their own hardware, PA has a leg up. Although no need to get hardware from the IPS / IDS vendor.
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
ah I see. well that makes sense. I was just looking to see if Ubiquity or Fortinet made something like this.
-
@jmoore said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
ah I see. well that makes sense. I was just looking to see if Ubiquity or Fortinet made something like this.
Ubiquity doesn't make UTM devices of any sort, they are purely a networking company. Which is why I like them for networking.
Fortinet is like SonicWall, I'd never touch them. Horrible experiences with both of them.
-
Network firewall / AV + SSL Inspection --> Proxy Server (for off-internet PCs) --> PCs/Servers --> local firewall --> local AV
Forced OS updates, forced AV updates on PCs/Servers
Forced local firewall settings on PCs/Servers
Central reporting and management of OS updates
Central management and reporting of AV
You need to have network firewall and local/OS firewall... they block against different vectors
