How to Layer Your Security Needs
-
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
-
@reid-cooper said in How to Layer Your Security Needs:
We are expecting a full Wazzah how to now.
This is going on a tiny little network, so the how to is "Download the OVA and install that to your hypervisor". Done.
-
@travisdh1 said in How to Layer Your Security Needs:
@reid-cooper said in How to Layer Your Security Needs:
We are expecting a full Wazzah how to now.
This is going on a tiny little network, so the how to is "Download the OVA and install that to your hypervisor". Done.
Ah, that's pretty simple then.
-
@reid-cooper said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@reid-cooper said in How to Layer Your Security Needs:
We are expecting a full Wazzah how to now.
This is going on a tiny little network, so the how to is "Download the OVA and install that to your hypervisor". Done.
Ah, that's pretty simple then.
Yeah, if you have a mid-size network or larger, having to install all the different components is a much bigger chore. I doubt I'll be running into that unless I get hired by some big corporation.
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
Oh I see now, thanks
-
@jmoore said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
Oh I see now, thanks
They should be "just another application" and treated like a normal enterprise app. UTM treats those apps as special and outside of standard IT good practices, which makes UTMs kind of bad fundamentally.
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
-
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
In line is acceptable, just not "running on the same processor."
-
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
-
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
lol. Should have known.
-
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
lol. Should have known.
There are others, but with their own hardware, PA has a leg up. Although no need to get hardware from the IPS / IDS vendor.
-
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
ah I see. well that makes sense. I was just looking to see if Ubiquity or Fortinet made something like this.
-
@jmoore said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@dafyre said in How to Layer Your Security Needs:
@scottalanmiller said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
@jmoore said in How to Layer Your Security Needs:
@travisdh1 said in How to Layer Your Security Needs:
My preferred config?
Firewall -> Local Anti-Virus and ransomeware prevention.
IDS/IPS at the network level along with asset monitoring.Depending on the needs of the organization, more can be added on, but I'd consider that the starting point to not be without.
I have used Snort before and i think it did those functions. What do you recommend using for IDS/IPS protection on Windows and on Linux?
I'm going to be installing Wazah here this week. While it'll be the first time I've used that specific software setup, it has OSSEC as it's base which I have used quite often. I'm looking forward to seeing how Wazah compares to some of the paid solutions out there.
Also, like @scottalanmiller already said, IDS/IPS exists at the network level, not the OS.
Ok that is what I am confused about. Where does IDS sit at physically on the network? firewall?
Nothing should ever sit on the firewall, nothing. Proper "anything network" should be a VM that may or may not get all network traffic, depending on the task.
For IDS, I agree. For IPS, i had better luck and performance with hardware in-line ie:
<internet>-->Firewall-->IPS-->Local Network
This was on a 50/50 fiber.
Who makes a good IPS hardware?
Palo Alto
ah I see. well that makes sense. I was just looking to see if Ubiquity or Fortinet made something like this.
Ubiquity doesn't make UTM devices of any sort, they are purely a networking company. Which is why I like them for networking.
Fortinet is like SonicWall, I'd never touch them. Horrible experiences with both of them.
-
Network firewall / AV + SSL Inspection --> Proxy Server (for off-internet PCs) --> PCs/Servers --> local firewall --> local AV
Forced OS updates, forced AV updates on PCs/Servers
Forced local firewall settings on PCs/Servers
Central reporting and management of OS updates
Central management and reporting of AV
You need to have network firewall and local/OS firewall... they block against different vectors
-
@tim_g said in How to Layer Your Security Needs:
Central reporting and management of OS updates
Central monitoring is fine. Only needs interaction should something break.
-
@tim_g said in How to Layer Your Security Needs:
You need to have network firewall and local/OS firewall... they block against different vectors
Absolutely. These are the two key paths, one is for direct assaults, from the WAN. One for attacks from the LAN.
-
@tim_g said in How to Layer Your Security Needs:
You need to have network firewall and local/OS firewall... they block against different vectors
Uhm, how? They're doing the same job. It's the IDS/IPS that provide extra protection at the network level. If you're using different anti-virus at the network level than the local level then you could possibly get slightly different detection results, but only very slightly. They're both protecting from the same thing, so really not different vectors, just different locations on a network.
Edit: Now I see @scottalanmiller's post, but I still say it's the same protection in two different spots on the network. Both being good things to have.
-
@travisdh1 said in How to Layer Your Security Needs:
@tim_g said in How to Layer Your Security Needs:
You need to have network firewall and local/OS firewall... they block against different vectors
Uhm, how? They're doing the same job. It's the IDS/IPS that provide extra protection at the network level. If you're using different anti-virus at the network level than the local level then you could possibly get slightly different detection results, but only very slightly. They're both protecting from the same thing, so really not different vectors, just different locations on a network.
Edit: Now I see @scottalanmiller's post, but I still say it's the same protection in two different spots on the network. Both being good things to have.
They are different FW sets, too. They see slightly different things. And you want two to protect against "fail open" possibilities.
-
Patching is the really big ticket item. Keeping things patched is huge and so often overlooked.
