New customer - greenfield setup
-
I have a new client with a nearly greenfield setup (they'll replace anything they already have if needed/pushed by me).
today - they have no firewall, but they do have a unifi POE Switch 24 250W, 2 UAPs (not sure what version) and an onsite cloud key gen 1.
They want web filtering to keep porn/guns/violence, etc at bay.
I'm kinda stuck between - should they go with a NGFW or a EdgeRouter?
Should they go DNS filtering or NGFW with filtering subscription?For devices, they plan to have 3 desktops, 8 iPads and possibly 3 IP Phones.
Their main business software is an online app, and they are using M365 for email.
Suggestions?
-
A NGFW from Sohos will run around
1 year - $900
5 years - $1800It's definitely not cheap, but the idea of scanning all of the traffic inbound seems nice. Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)
With the appliance - we could also have multilayers of email scanning - i.e. MX points to Sophos - Sophos then sends to M365.
-
We're a Sonicwall house. I would install a TZ270 Advanced with the DPI-SSL add-on.
SONICWALL TZ270 TOTALSECURE - ADVANCED EDITION 1YR SKU: 02-SSC-6843 = $694.00
SONICWALL DPI SSL UPGRADE LICENSE FOR SOHO SERIES SKU: 01-SSC-0723 = $212.80 -
@dashrender said in New customer - greenfield setup:
A NGFW from Sohos will run around
1 year - $900
5 years - $1800It's definitely not cheap, but the idea of scanning all of the traffic inbound seems nice. Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)
With the appliance - we could also have multilayers of email scanning - i.e. MX points to Sophos - Sophos then sends to M365.
Don't do SPam filtering on the Sophos Hardware, a proper Spam Filtering in Office 365 or Through Mimecast or any other spam filtering.
-
@dashrender said in New customer - greenfield setup:
A NGFW from Sohos will run around
1 year - $900
5 years - $1800It's definitely not cheap, but the idea of scanning all of the traffic inbound seems nice. Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)
With the appliance - we could also have multilayers of email scanning - i.e. MX points to Sophos - Sophos then sends to M365.
With Sophos you can do Web Proxy filtering.
Youtube Video -
@dashrender said in New customer - greenfield setup:
Should they go DNS filtering or NGFW with filtering subscription?
2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.
But even 2 years ago I would have asked why they actually need filtering.
Can they not just discipline employees? Because this is jsut stupid talking.
@dashrender said in New customer - greenfield setup:
They want web filtering to keep porn/guns/violence, etc at bay.
-
For filtering I would just do DNS filtering redirect all DNS traffic to your preferred solution. Make sure you include DNS over TLS traffic as @JaredBusch points out.
-
@jaredbusch said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
Should they go DNS filtering or NGFW with filtering subscription?
2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.
But even 2 years ago I would have asked why they actually need filtering.
Can they not just discipline employees? Because this is jsut stupid talking.
@dashrender said in New customer - greenfield setup:
They want web filtering to keep porn/guns/violence, etc at bay.
It's less about employees and what is accessed on their guest WiFi. They will have clients spending hours in the office, likely on the internet much of that time.
-
@jaredbusch said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
Should they go DNS filtering or NGFW with filtering subscription?
2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.
I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.
Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.
-
@jaredbusch said in New customer - greenfield setup:
But even 2 years ago I would have asked why they actually need filtering.
Can they not just discipline employees? Because this is jsut stupid talking.
We've all asked this question over the years. And in general I agree with you. Sadly there's more requirements for companies to keep their workspaces harassment free, etc.
But really, the best reason for DNS filtering is - defense in depth. If the DNS server can keep a computer from even visiting a known good bad IP, that's just one more helper in the war. Sure there are false positives, assuming there aren't many of those, you just fix it and move on. If there are - then you find a new provider who it's so bad at it.
-
@dashrender said in New customer - greenfield setup:
the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.
And since when has your stands router or Windows Server had DNS over TLS?
-
For basic site filter, would you consider OpenDNS? Then, like Jared said, discipline the employees.
-
@dave247 said in New customer - greenfield setup:
discipline the employees
Discipline of employees will only get you so far. You can have all the greatest intitions and an employee follows your policies - until - that one employee that becomes disgruntled and starts to poison another. Or in some cases - they try to actually do the job duties only to find that they cannot due to some over reaching policy and starts to find ways around the policy and security.
-
@jaredbusch said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.
And since when has your stands router or Windows Server had DNS over TLS?
Good question:
Someone created a solution for Edgerouters two years ago
https://community.ui.com/questions/DNS-over-TLS-solution-for-EdgeMax-v2/aa0c5c80-1aae-4838-8b31-4dd7028b1219The windows client (10/11) saw it added to beta in 2020:
https://www.zdnet.com/article/microsoft-adds-initial-support-for-dns-over-https-doh-in-windows-insiders/
And full production:
https://techcommunity.microsoft.com/t5/networking-blog/making-doh-discoverable-introducing-ddr/ba-p/2887289Can't find anything about Windows Server DNS being updated as DOH resolver.
and no mention of DNS over TLS for Windows yet. -
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
-
@dashrender said in New customer - greenfield setup:
@jaredbusch said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
Should they go DNS filtering or NGFW with filtering subscription?
2 years ago, I would have said DNS filtering. But now browsers are starting to go around DNS with built in DNS over TLS and such.
I know several DNS providers were starting to provide DNS over TLS, and that several of the browser vendors were saying - as long as the provided DNS provider used DNS over TLS or HTTPS then the browser would respect the system's IP settings.
Have you found that to be not true? - then again, how would you know other than the traffic going to known browser based DNS over TLS IPs.
That's just the thing. You need to block that crap.
- Block DNS over TLS in the firewall (port 853 outgoing).
- Block DNS over HTTPS in the firewall (port 443 outgoing to IPs of all known DNS providers like 1.1.1.1, 8.8.8.8 etc).
- Block DNS in the firewall (port 53 outgoing)
- Set up your DNS filtering and set the firewall to provide that DNS to everything on the LAN.
My general rule is to block everything outgoing except 80 (for redirect purposes) and 443. Then open up as needed.
-
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.
-
Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.
We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.
The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.
-
@dashrender said in New customer - greenfield setup:
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.
Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.
-
@notverypunny said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.
Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.
I personally do refuse to use any guest WiFi that requires the installation of a third party cert to use. That said - I can only recall this happening one time.
I'm not against DNS filtering - all the things Pete.S mentioned, but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.