Pfsense instead SonicWall ?
-
@wrx7m said:
@scottalanmiller Interesting. So you would just go with endpoint protection after the router/firewall?
Yes, in nearly all cases. AV on the firewall means huge network delays or tons of processing power needed at the end and it is rarely effective. If you are investing tens of thousands in Palo Alto gear, that's different. But other than that, I wouldn't even consider it.
-
I'm a big believer that the UTM concept is hype. I want my router to be a router, not be an all in one device like I'm a home user. All functionality should be broken out and should be determined discretely if needed. UTMs are sold almost exclusively based on marketing, not a need driving a search for a solution.
-
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
-
@coliver said:
@wrx7m said:
Gateway AV, DPI, IDS, IPS
I've never seen Gateway AV work... but I Squid can also do this with some addons.
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives. I definitely like the thought behind it.. not sold one way or the other in practice though.
-
Plus Scott is a big believer in the LANless approach. Don't trust the network you're own.. create your own security through other means, like endpoint to server SSL, etc.
-
@wrx7m said:
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.
-
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
-
@scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.
-
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
-
@scottalanmiller said:
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
False positives happen even on end points - so....
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
I agree!
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
Oh.. and my false positives was once during my 3 year contract...
-
@wrx7m said:
@scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.
One of the reasons there for proxy/cache specifically is that you need it to be insanely fast and cache a ton of stuff - so you likely want a massive RAID 0 array with SSD cacheing in front of it with loads of memory and a decent CPU (quad core Xeon for example) to handle it. You can't get 1% of that from any firewall hardware.
And you don't want the proxy getting in the way of non-proxy traffic. Your VoIP, for example, needs to go straight through the firewall not get processed or blocked by the proxy. If the proxy is inside the firewall device, the CPU will be tied up doing that instead of passing RTP packets.
-
@scottalanmiller said:
@wrx7m said:
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively? Sure there is management but short of standing over everyone's shoulder, I don't see a better way to be able to produce the stats.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
False positives happen even on end points - so....
But not so often that I've seen one in a decade. Definitely happen, but are super rare. And much easier to identify because it is localised to where it happens. Not somewhere distant.
-
@wrx7m said:
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?
I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.
I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.
-
@wrx7m said:
Sure there is management but short of standing over everyone's shoulder, I don't see a better way to be able to produce the stats.
Good, make it hard to collect pointless metrics.
-
@scottalanmiller said:
@wrx7m said:
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?
I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.
I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.
IT services don't exist in a vacuum and most management would disagree. Management wants info like this occasionally. Sometimes they want even more, which requires specialized software installed on the local system. I really hate doing that.
-
@wrx7m said:
IT services don't exist in a vacuum and most management would disagree.
Not good, healthy management. I normally see this stuff being pushed from IT in opposition to management as IT people have a tendency to want to "control" things, it's part of the culture. Good management would know instantly that this is horrible info and goes against even the most entry level management training. This calls only into the "really clueless untrained or megalomaniac" management category outside of specific issues (some places have to for regulations.)
If management wants this info, IT should be training them as to how useless this data is and how there is no possible useful outcome to collecting it.
-
@scottalanmiller said:
@wrx7m said:
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?
I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.
I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.
We've had on average one person a year fired because of their browsing habits. One person was even watching Netflix 8 hours a day, surprisingly that person still works here.
Employees are paid to do their jobs, not to browse the web. If the management has a need to have that info, then we should provide it.
