USG Pro 4 and our Company Security
-
My company is working on dropping our "MPLS" provider, and I use the"MPLS" loosely, and manage our own equipment and establish VPN connections to our data center using a USG Pro 4 at all 14 of our branches. We have on average 4-6 employees at each branch. They use thin clients to remote into a server in our DC to do all of their daily work. I have had a USG connected at two of our locations and at my home office for over a year. I was planning to install a USG at the data center and then use the built-in VPN connection between USGs to set up all of our branches. I thought this was a great idea until the Rep from our DC called and said that it is not secure enough and that we need a UTM. This just about sank my entire plan but I'm a bit skeptical about his answer. Is this guy right, that they won't work and cause a huge security risk to our company or does he not know what he is talking about. Also, if he does know what he is talking about is there an inexpensive way to mitigate that weakness and still use the USGs? For a bit more info, we would be sending out all internet traffic locally from the branch and all other traffic would go through the VPN Tunnel to the DC.
Thank you in advance,
Jevans -
@jevans said in USG Pro 4 and our Company Security:
I thought this was a great idea until the Rep from our DC called and said that it is not secure enough and that we need a UTM.
That's a scam. You have an actual security concern with this "rep" and I'd treat it as such. He's now a malicious actor trying to socially engineer you. There is absolutely no need for a UTM, and there wasn't one before. Going to a better security model with the Unifis and VPN in no way creates a new need for a UTM. A UTM would do essentially nothing here, anyway.
He's trying to pull a fast one and I guarantee he's a skeezy UTM sales guy who will say anything to bully someone into a sale.
I'd seriously consider switching datacenter providers, not just not listening to this guy. That your DC employs someone like this and gives him access to try to trick you is a serious security and trust concern.
-
@jevans said in USG Pro 4 and our Company Security:
I was planning to install a USG at the data center and then use the built-in VPN connection between USGs to set up all of our branches.
This is a good idea and more secure than you've been in the past as you have the same level of security, but without the risk of a third party having access to it as well. This is solid thinking and a standard pattern for handling this kind of situation.
-
What is that guy trying to sell you? Because his words sound like vendor trickery. If he is employed by your company, he might just be misinformed.
-
@jevans said in USG Pro 4 and our Company Security:
Is this guy right, that they won't work and cause a huge security risk to our company or does he not know what he is talking about.
They will absolutely work exactly as you expect. And a UTM will do nothing to alter the risk (in this scenario). He does know what he is talking about, he's just lying. There is no way he's confused, this isn't incompetence, this is 99% certain dishonesty, very different things. He's been trained on how to use scare tactics to do something unethical and he's using tried and true social engineering to try to make a quick buck off of your company.
UTMs have a place (very small place) but only affect WAN linked traffic, of which there is none in this equation. So it's not even the semi-legitimate sales tactic of trying to sell a nearly pointless security system, but one with technically a little merit, he's just blindly trying to sell something that wouldn't even activate when put into place here!
-
@jevans He doesn't know what he's talking about. I'd in turn ask him "Why do you think the network firewall should be responsible for all these other security pieces that can be done cheaper and much more efficiently elsewhere?" You already know the answer is because he wants to sell you something, which does not benefit you in any way.
-
@RojoLoco said in USG Pro 4 and our Company Security:
If he is employed by your company, he might just be misinformed.
My understanding is that this is a sales man (rep) from the datacenter (probably colo) provider. This is likely one of those little VARs that runs a little datacenter and masquerades as an MSP to try to make their sales seem legitimate. Just a guess, but that's the pattern I see this occurring in.
-
Another really important thing to point out is that a Unifi USG is a UTM. We never talk about that because that would be a shitty way to sell firewalls. UTM is nothing more than a firewall with some extra features (that we generally recommend against because they are either stupid and wasteful, or if needed shouldn't be on the firewall as that is horrible security practice) and the USG has some UTM features that you can turn on (but most of us don't.)
So not only is he being dishonest about you needing a UTM, he's also lying about you not already having one!
-
@jevans said in USG Pro 4 and our Company Security:
For a bit more info, we would be sending out all internet traffic locally from the branch and all other traffic would go through the VPN Tunnel to the DC.
IF you needed a UTM for some reason (trust me, you don't), then it would be only at that branch with the Internet connection. UTMs are a "buzzword" product that in theory is meant to protect at that step to the Internet. If you put UTMs in your connection to the datacenter, you'd have to disable the UTM features for things to work properly anyway!
-
@scottalanmiller said in USG Pro 4 and our Company Security:
@RojoLoco said in USG Pro 4 and our Company Security:
If he is employed by your company, he might just be misinformed.
My understanding is that this is a sales man (rep) from the datacenter (probably colo) provider. This is likely one of those little VARs that runs a little datacenter and masquerades as an MSP to try to make their sales seem legitimate. Just a guess, but that's the pattern I see this occurring in.
What the actual bloody fuck???
@jevans sever your ties with this alleged "datacenter" immediately!!!! Never colocate systems to a place that sells anything but rack spaces for your gear.
-
@RojoLoco said in USG Pro 4 and our Company Security:
@scottalanmiller said in USG Pro 4 and our Company Security:
@RojoLoco said in USG Pro 4 and our Company Security:
If he is employed by your company, he might just be misinformed.
My understanding is that this is a sales man (rep) from the datacenter (probably colo) provider. This is likely one of those little VARs that runs a little datacenter and masquerades as an MSP to try to make their sales seem legitimate. Just a guess, but that's the pattern I see this occurring in.
What the actual bloody fuck???
@jevans sever your ties with this alleged "datacenter" immediately!!!! Never colocate systems to a place that sells anything but rack spaces for your gear.
^^^ This. I'd be calling the head of the company here and demanding an explanation for such unethical behaviour and a pretty clear defense of how you are supposed to be able to trust your equipment to a company that clearly has a security concern! This behaviour is really no different to any other that would steal your data and sell it. If they are willing to lie and cheat and bully to try to take your money, why wouldn't they harvest your data straight off of the servers and sell it? Or sell access to your servers to anyone who paid them? There is no ethical lines between the two actions.
I understand that maybe the sales guy (that they call a rep) might have zero access to the datacenter itself. Maybe. But the owner who employs him and pay him to run scams does, and they need to find a way to establish trust back up the chain.
Really, best to just walk away. There are loads of honest, ethical datacenters and MSPs out there that would love to actually help you. There is never a need of any sort to continue to do business with the "bad guys".
-
He said that I should get Juniper or Fortigate. Then he told me that they could put together a package for Fortigate because that is what the DC uses. So I do feel like he is promoting their equipment and management services. Thankfully, we plan on dropping the DC in a few years because we won't need the services they provide by then. So I really started to feel the pressure when I was told the USGs would not work. With that said, this Rep did mention two things I was not familiar with, I"m still learning. He said the IPS would block one set of attacks but that it couldn't block others and those "others" are a big threat right now. When I remember I'll post.
-
@scottalanmiller said in USG Pro 4 and our Company Security:
I'd be calling the head of the company
You know after hearing all of you talk about this really sheds some light on what has been going on with the DC. When we first signed with them we were taken care of. We liked the people we worked with. Then over the last year, almost all of the people we worked with at the start left or got fired. Our current rep said that they didn't like the way the company was going. Now I know why because it was going the wrong way.
-
@jevans don't give those scumbags another penny. "...in a few years" is waaaaayyyyy too late.
-
@jevans Juniper makes good stuff, Fortigate less so. We use some Fortigate here and have had several strange issues.
If it sounds like they are promoting a package then buyer beware as the saying goes. If they are selling something then any advice they give is suspect.
As others have said, hardly anyone ever needs a UTM. They are right.
-
@jmoore said in USG Pro 4 and our Company Security:
If they are selling something then
anyALL advice they give is suspect. -
@jevans said in USG Pro 4 and our Company Security:
He said that I should get Juniper or Fortigate. Then he told me that they could put together a package for Fortigate because that is what the DC uses.
Yup, salesman being a salesman. Just saying anything to try to sell what he sells.
-
@jevans what is the name of this terrible company? Giving them a "name and shame" here could help others get away from their treachery.
-
@jevans said in USG Pro 4 and our Company Security:
He said the IPS would block one set of attacks but that it couldn't block others and those "others" are a big threat right now. When I remember I'll post.
IPS is okay, but probably doesn't have a place here. IPS is the "most valuable" thing included in a UTM. Thankfully, Unifi includes this. So you already have it should you want to turn it on.
-
@jevans said in USG Pro 4 and our Company Security:
Our current rep said that they didn't like the way the company was going. Now I know why because it was going the wrong way.
"Toxic environments"... once people start fleeing, that's almost always what it is. And sadly, those kinds of problems "always" come from the top down, if they didn't, they'd be fixed pretty quickly. So unfortunately, it becomes an "unfixable" situation where the owner desires X of the company and only people who are okay with X behaviour are willing to work there.
