-
Ask a question and get free supportUnlock new privileges and see hidden discussionsWin prizes and earn reputation
-
Question of the day ~ How often do you braai?
-
Afristay giveaway.Win a 2-night stay for two people at an establishment of your choice with R1,000 in spending money. Enter here.
Sign up with Googlelooking for a top of the range Firewall any ideas
- Thread starter scoobs
- Start date
aybbleek
Expert Member
- Joined
- Sep 9, 2013
- Messages
- 1,611
What is the SonicWALL not doing for you? What licensing is active?
Deadmanza
Honorary Master
- Joined
- Sep 13, 2013
- Messages
- 12,762
Firewall is NOT a catch all solution. It is part of securing your organisation (a big part).
Do you have Mail filtering? A decent backup solution? A decent AV on all machines?
What virus got through?
aybbleek
Expert Member
- Joined
- Sep 9, 2013
- Messages
- 1,611
Yeah exactly - you actually need endpoint security enforcement (recommended to include posture assessment) and AV pushdown (features supported by SonicWALL already via licensing). Then also purchase the AntiSpam Gateway licenses and also ensure that your network is segmented sufficiently to contain an outbreak should it occur. Where did the infection originate? Do you block USB access etc via group policy? Do you have the Comprehensive Gateway Security Suite License activated? Are you running SonicWALL Analyzer? How is patch management controlled across the devices? Do you have BYOD policies?
basically i just walked into this place 2 months back still getting my head around the setup
we use bitdefender enterprise on all machines
No GPO on domain so far its a open F** house free for all ( something on my list )
sonic wall is using basically the licences that was bought with the device
remember these guys were outsourced before so no real effort has been put in EG VLANS etc
yeah we got a BYOD but no policy basically people just bring what they want connect to the Wifi hotspot and boom they can rape my internet line and i wouldent know because i dont have any content filtering here
IS A MESS i know thats why im trying to come up with a plan here
we use bitdefender enterprise on all machines
No GPO on domain so far its a open F** house free for all ( something on my list )
sonic wall is using basically the licences that was bought with the device
remember these guys were outsourced before so no real effort has been put in EG VLANS etc
yeah we got a BYOD but no policy basically people just bring what they want connect to the Wifi hotspot and boom they can rape my internet line and i wouldent know because i dont have any content filtering here
IS A MESS i know thats why im trying to come up with a plan here
Deadmanza
Honorary Master
- Joined
- Sep 13, 2013
- Messages
- 12,762
How is your Cisco Knowledge, Cisco products are brilliant, expensive and some what convoluted in their config, but really top notch.
Necropolis
Executive Member
- Joined
- Feb 26, 2007
- Messages
- 8,401
A firewall alone isn't going to solve your issues.
A properly configured desktop PC running a free firewall distro (PFSense or the like) will do what you want for not much money at all.
A properly configured desktop PC running a free firewall distro (PFSense or the like) will do what you want for not much money at all.
gregmcc
Honorary Master
- Joined
- Jun 29, 2006
- Messages
- 25,514
I'm not a fan of Meraki - might be ok for small setups but def not enterprise ready.
As the guys said above, there is more than just putting in a firewall.
Do you have any security policies defining what users can/cannot do. Do you have to be PCI complaint? Judging from the info you've given probably not.
You will need to start at the basics and look at everything.
Desktops/servers - AV protection, patching. If you are concerned over data leakage - locking down of USB devices. Server shares - are the correct permissions used. Are unused services stopped on servers. Desktops - do they need to be encrypted. Laptops - are they encrypted?
Firewalls - do you have any incoming connections? Do they terminate in the DMZ? What FW logs do you keep? I'm a Checkpoint fan but probably overkill for small setups. Then again if you are protecting millions it might be a good idea to look at Checkpoint. Expensive but imo its the best. If you have any internet facing services how are these locked down?
Wifi - how is this configured? When users are connected to the wifi can they only access the internet? Can they also access internal resources? How is access controlled? How far does the wifi reach? Is wifi key ever changed?
Proxies - they HAVE to have AV and content filtering. If you have no content filtering and a user browsers porn all day they cannot be fired as you have then done nothing to protect the users from going to bad sites. Also if users can access for example child porn sites from wifi and they get caught, the police will come knocking at your door. Also very important is to log proxy access.
As the guys said above, there is more than just putting in a firewall.
Do you have any security policies defining what users can/cannot do. Do you have to be PCI complaint? Judging from the info you've given probably not.
You will need to start at the basics and look at everything.
Desktops/servers - AV protection, patching. If you are concerned over data leakage - locking down of USB devices. Server shares - are the correct permissions used. Are unused services stopped on servers. Desktops - do they need to be encrypted. Laptops - are they encrypted?
Firewalls - do you have any incoming connections? Do they terminate in the DMZ? What FW logs do you keep? I'm a Checkpoint fan but probably overkill for small setups. Then again if you are protecting millions it might be a good idea to look at Checkpoint. Expensive but imo its the best. If you have any internet facing services how are these locked down?
Wifi - how is this configured? When users are connected to the wifi can they only access the internet? Can they also access internal resources? How is access controlled? How far does the wifi reach? Is wifi key ever changed?
Proxies - they HAVE to have AV and content filtering. If you have no content filtering and a user browsers porn all day they cannot be fired as you have then done nothing to protect the users from going to bad sites. Also if users can access for example child porn sites from wifi and they get caught, the police will come knocking at your door. Also very important is to log proxy access.
Last edited:
Im surprised no one has mentioned Checkpoint.
It really is the top of the line device, but obviously there is a bit of a price premium.
Security is a black hole of money and can cost a small fortune depending on how deep you go.
If the data is worth millions you need to protect it through secure backups, malware and ransomware prevention, possibly DLP to stop accidental leaking.
Data encryption would be a must.
Might also need to look at a network design to ensure proper segmentation
It really is the top of the line device, but obviously there is a bit of a price premium.
Security is a black hole of money and can cost a small fortune depending on how deep you go.
If the data is worth millions you need to protect it through secure backups, malware and ransomware prevention, possibly DLP to stop accidental leaking.
Data encryption would be a must.
Might also need to look at a network design to ensure proper segmentation
gregmcc
Honorary Master
- Joined
- Jun 29, 2006
- Messages
- 25,514
Expensive, but best of breed.doubleshot
Member
- Joined
- Sep 23, 2016
- Messages
- 26
Fortigate has built in Webfilter, AV and Ransomware protection. It has great reporting to see what's happening on your network with threat reports. Protect your Endpoints. Deploy GPOs with app whitelisting and prevent EXE execution. Make sure you have something like Mimecast for email security and most importantly make an effort to educate your end-users. There's great tech out there incl. Sonicwall. End user your greatest risk no matter how good your infrastructure are.
Last edited:
RoganDawes
Expert Member
- Joined
- Apr 18, 2007
- Messages
- 1,259
If your data is worth millions, don't rely on free advice you got on the internet.
Rather pay someone to assess your environment, and construct a plan that addresses the real risk areas. Messing around with firewalls when you got hit by malware is not going to solve your problem.
Yes, MAYBE your firewall can do anti-virus/malware scanning, etc, but you should also be addressing things like awareness - don't open untrusted attachments, segmentation - separating your users workstations from the servers by a firewall/filter of some sort, possibly making private VLANs so your users cannot talk to each other (so if one user gets hit by malware, the rest of your users are not in the firing line), etc, etc, etc
Rather pay someone to assess your environment, and construct a plan that addresses the real risk areas. Messing around with firewalls when you got hit by malware is not going to solve your problem.
Yes, MAYBE your firewall can do anti-virus/malware scanning, etc, but you should also be addressing things like awareness - don't open untrusted attachments, segmentation - separating your users workstations from the servers by a firewall/filter of some sort, possibly making private VLANs so your users cannot talk to each other (so if one user gets hit by malware, the rest of your users are not in the firing line), etc, etc, etc
OCP
Executive Member
- Joined
- Jan 23, 2014
- Messages
- 5,306
+1
Long time Sonicwall provider; changed to Fortigate/Fortinet with sandbox and enpoint clients - solid solution.
Speak to Ettiene at Maxtec to get decent advise.
As mentioned .. look at the bigger issue.Security is more then just your firewall.The sonicwall is an enterprise device so it good enough.So you need multiple layers of security and that still doesnt guarantee you will be virus free.
1) Get your sonicwall configured correctly and locked down as much as possible
2) Implement a server/client based antivirus solution
3) Implement group policies
4) Dont give users local admin rights
5) Lock down network shares and dont give normal users more rights then they need
1) Get your sonicwall configured correctly and locked down as much as possible
2) Implement a server/client based antivirus solution
3) Implement group policies
4) Dont give users local admin rights
5) Lock down network shares and dont give normal users more rights then they need