How to Layer Your Security Needs

Obsolesce

Network firewall / AV + SSL Inspection --> Proxy Server (for off-internet PCs) --> PCs/Servers --> local firewall --> local AV

Forced OS updates, forced AV updates on PCs/Servers

Forced local firewall settings on PCs/Servers

Central reporting and management of OS updates

Central management and reporting of AV

You need to have network firewall and local/OS firewall... they block against different vectors

scottalanmiller

@tim_g said in How to Layer Your Security Needs:

Central reporting and management of OS updates

Central monitoring is fine. Only needs interaction should something break.

scottalanmiller

@tim_g said in How to Layer Your Security Needs:

You need to have network firewall and local/OS firewall... they block against different vectors

Absolutely. These are the two key paths, one is for direct assaults, from the WAN. One for attacks from the LAN.

travisdh1

@tim_g said in How to Layer Your Security Needs:

You need to have network firewall and local/OS firewall... they block against different vectors

Uhm, how? They're doing the same job. It's the IDS/IPS that provide extra protection at the network level. If you're using different anti-virus at the network level than the local level then you could possibly get slightly different detection results, but only very slightly. They're both protecting from the same thing, so really not different vectors, just different locations on a network.

Edit: Now I see @scottalanmiller's post, but I still say it's the same protection in two different spots on the network. Both being good things to have.

scottalanmiller

@travisdh1 said in How to Layer Your Security Needs:

@tim_g said in How to Layer Your Security Needs:

You need to have network firewall and local/OS firewall... they block against different vectors

Uhm, how? They're doing the same job. It's the IDS/IPS that provide extra protection at the network level. If you're using different anti-virus at the network level than the local level then you could possibly get slightly different detection results, but only very slightly. They're both protecting from the same thing, so really not different vectors, just different locations on a network.

Edit: Now I see @scottalanmiller's post, but I still say it's the same protection in two different spots on the network. Both being good things to have.

They are different FW sets, too. They see slightly different things. And you want two to protect against "fail open" possibilities.

Reid Cooper

Patching is the really big ticket item. Keeping things patched is huge and so often overlooked.

Reid Cooper

And training your users, I didn't see that mentioned. That might be the biggest thing.

jmoore

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

Reid Cooper

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

And beatings, user beatings are often necessary as well.

Kelly

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

scottalanmiller

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

Wow, what models? Was it a sale or is that the normal price?

jmoore

@reid-cooper said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

And beatings, user beatings are often necessary as well.

lol I will remember that but then some of the ladies might not bring me home made tamales and chocolate chip cookies...

Kelly

@scottalanmiller said in How to Layer Your Security Needs:

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

Wow, what models? Was it a sale or is that the normal price?

Normal reseller pricing. It was an SRX340. It is rated up to 3 Gbps.

https://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf

scottalanmiller

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

@kelly said in How to Layer Your Security Needs:

@scottalanmiller said in How to Layer Your Security Needs:

Firewalls to avoid....

My rule here is that there are just a few vendors that you actually want to consider, and on the SMB end of things, there is little reason to ever consider anything but Ubiquiti.

Once you get larger than Ubiquiti can handle, then you can look at Juniper, Cisco, and a few others. But you are talking $15K+ routers here or special HA functionality, which might be cheaper routers, but will be $10K+ in total.

I was able to get an HA pair of Junipers (new) for about $5k. I didn't go into it looking for HA, but when I found out I could get them for a third what I'd budgeted I decided to go for it.

Wow, what models? Was it a sale or is that the normal price?

Normal reseller pricing. It was an SRX340. It is rated up to 3 Gbps.

https://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf

Slick, very nice.

Reid Cooper

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

And beatings, user beatings are often necessary as well.

lol I will remember that but then some of the ladies might not bring me home made tamales and chocolate chip cookies...

Or maybe they will bring more!

jmoore

@reid-cooper said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

@jmoore said in How to Layer Your Security Needs:

@reid-cooper said in How to Layer Your Security Needs:

And training your users, I didn't see that mentioned. That might be the biggest thing.

Good points and your probably right on the training

And beatings, user beatings are often necessary as well.

lol I will remember that but then some of the ladies might not bring me home made tamales and chocolate chip cookies...

Or maybe they will bring more!

Excellent point!