How to Layer Your Security Needs

jmoore

@dafyre said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

My preferred config?

Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.

Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.

I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?

I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.

Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.

Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?

Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.

For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:

<internet>-->Firewall-->IPS-->Local Network

This was on a 50/50 fiber.

Who makes a good IPS hardware?

scottalanmiller

@jmoore said in How to Layer Your Security Needs:

@dafyre said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

My preferred config?

Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.

Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.

I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?

I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.

Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.

Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?

Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.

For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:

<internet>-->Firewall-->IPS-->Local Network

This was on a 50/50 fiber.

Who makes a good IPS hardware?

Palo Alto

dafyre

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@dafyre said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

My preferred config?

Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.

Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.

I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?

I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.

Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.

Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?

Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.

For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:

<internet>-->Firewall-->IPS-->Local Network

This was on a 50/50 fiber.

Who makes a good IPS hardware?

Palo Alto

lol. Should have known.

scottalanmiller

@dafyre said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@dafyre said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

My preferred config?

Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.

Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.

I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?

I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.

Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.

Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?

Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.

For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:

<internet>-->Firewall-->IPS-->Local Network

This was on a 50/50 fiber.

Who makes a good IPS hardware?

Palo Alto

lol. Should have known.

There are others, but with their own hardware, PA has a leg up. Although no need to get hardware from the IPS / IDS vendor.

jmoore

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@dafyre said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

My preferred config?

Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.

Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.

I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?

I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.

Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.

Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?

Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.

For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:

<internet>-->Firewall-->IPS-->Local Network

This was on a 50/50 fiber.

Who makes a good IPS hardware?

Palo Alto

ah I see. well that makes sense. I was just looking to see if Ubiquity or Fortinet made something like this.

scottalanmiller

@jmoore said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@dafyre said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@travisdh1 said in How to Layer Your Security Needs:

My preferred config?

Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.

Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.

I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?

I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.

Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.

Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?

Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.

For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:

<internet>-->Firewall-->IPS-->Local Network

This was on a 50/50 fiber.

Who makes a good IPS hardware?

Palo Alto

ah I see. well that makes sense. I was just looking to see if Ubiquity or Fortinet made something like this.

Ubiquity doesn't make UTM devices of any sort, they are purely a networking company. Which is why I like them for networking.

Fortinet is like SonicWall, I'd never touch them. Horrible experiences with both of them.

Obsolesce

Network firewall / AV + SSL Inspection --> Proxy Server (for off-internet PCs) --> PCs/Servers --> local firewall --> local AV

Forced OS updates, forced AV updates on PCs/Servers

Forced local firewall settings on PCs/Servers

Central reporting and management of OS updates

Central management and reporting of AV

You need to have network firewall and local/OS firewall... they block against different vectors

scottalanmiller

@tim_g said in How to Layer Your Security Needs:

Central reporting and management of OS updates

Central monitoring is fine. Only needs interaction should something break.

scottalanmiller

@tim_g said in How to Layer Your Security Needs:

You need to have network firewall and local/OS firewall... they block against different vectors

Absolutely. These are the two key paths, one is for direct assaults, from the WAN. One for attacks from the LAN.

travisdh1

@tim_g said in How to Layer Your Security Needs:

You need to have network firewall and local/OS firewall... they block against different vectors

Uhm, how? They're doing the same job. It's the IDS/IPS that provide extra protection at the network level. If you're using different anti-virus at the network level than the local level then you could possibly get slightly different detection results, but only very slightly. They're both protecting from the same thing, so really not different vectors, just different locations on a network.

Edit: Now I see @scottalanmiller's post, but I still say it's the same protection in two different spots on the network. Both being good things to have.

scottalanmiller

@travisdh1 said in How to Layer Your Security Needs:

@tim_g said in How to Layer Your Security Needs:

You need to have network firewall and local/OS firewall... they block against different vectors

Uhm, how? They're doing the same job. It's the IDS/IPS that provide extra protection at the network level. If you're using different anti-virus at the network level than the local level then you could possibly get slightly different detection results, but only very slightly. They're both protecting from the same thing, so really not different vectors, just different locations on a network.

Edit: Now I see @scottalanmiller's post, but I still say it's the same protection in two different spots on the network. Both being good things to have.

They are different FW sets, too. They see slightly different things. And you want two to protect against "fail open" possibilities.

Reid Cooper

Patching is the really big ticket item. Keeping things patched is huge and so often overlooked.

Reid Cooper

And training your users, I didn't see that mentioned. That might be the biggest thing.

jmoore

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

Reid Cooper

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

And beatings, user beatings are often necessary as well.

Kelly

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

scottalanmiller

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

Wow, what models? Was it a sale or is that the normal price?

jmoore

@reid-cooper said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

And beatings, user beatings are often necessary as well.

lol I will remember that but then some of the ladies might not bring me home made tamales and chocolate chip cookies...

Kelly

@scottalanmiller said in How to Layer Your Security Needs:

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

Wow, what models? Was it a sale or is that the normal price?

Normal reseller pricing. It was an SRX340. It is rated up to 3 Gbps.

https://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf

scottalanmiller

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

Wow, what models? Was it a sale or is that the normal price?

Normal reseller pricing. It was an SRX340. It is rated up to 3 Gbps.

https://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf

Slick, very nice.