What's new
  • Please do not post any links until you have 3 posts as they will automatically be rejected to prevent SPAM. Many words are also blocked due to being used in SPAM Messages. Thanks!

security appliance question

Mr. Friendly

Well-known member
Joined
Nov 21, 2007
Messages
5,274
Location
British Columbia
a client needs a firewall to protect their surveillance and HVAC systems...a Win 10 PC and a Win 7 PC.

they currently have a Sonicwall NSA 240 that went EoL 3 years ago and have been instructed by the strata board to ensure the HW is adequate.

they don't need email / web filtering as the access by VPN is just to monitor externally and they said they don't need HW replacement coverage either.

they just want something to let them log in and check up on stuff and protect from outside intrusion.

so, do they really need a modern security appliance sans licensing or would a Cisco VPN / FW router be sufficient? I'm not sure how much more advanced an appliances FW is vs what you get with a VPN router...I'm used to selling the appliances because the client needs all the add-ons and support. :p
 

clshades

Well-known member
Joined
May 18, 2011
Messages
3,398
Location
Calgary
surprised they are using windows and concerned about security in the same sentence. Get a linux guy in there and button that thing up?
 

Sagath

Moderator
Staff member
Folding Team
Joined
Feb 7, 2009
Messages
4,733
Location
Edmonton, AB
Half the world runs on VPNs via routers just fine. Shit, governments too. They just use more glorified routers. Why wouldnt that be fine to protect this guys HVAC system? Is the HVAC a fridge with the COVID-19 Vaccine in it or something? ;)
 

clshades

Well-known member
Joined
May 18, 2011
Messages
3,398
Location
Calgary
Regardless of what you build or what you buy, like sagath said, a vpn is a vpn. Either way it needs to be configured to access.

If they want to keep it simple, Logmein works fine, but then they have to share an account among themselves and I'm not sure it supports that. It's also not cheap anymore but it sans hardware, sans issues later.
 

Herne

Well-known member
Joined
Jun 18, 2010
Messages
171
Half the world runs on VPNs via routers just fine. Shit, governments too. They just use more glorified routers. Why wouldnt that be fine to protect this guys HVAC system? Is the HVAC a fridge with the COVID-19 Vaccine in it or something? ;)

Understanding what they are trying to protect is actually what you are supposed to do. I have done evaluations on systems that control HVAC that if it failed it would be in the Globe and Mail.

Chances are the VPN/FW edge appliance is more than safe enough if properly configured; and your energy is better spent adding a 2FA like Google Authenticator or Yubikey.
 

JD

Moderator
Staff member
Joined
Jul 16, 2007
Messages
9,993
Location
Toronto, ON
Just don't be like Home Depot and have the HVAC network connected to the cash registers :rolleyes:

Unless they need things like DPI/IPS/etc, then yeah I would think a normal "VPN router" would suffice. I guess only the VPN port would be open to the internet, and the VPN solution being used would have strong encryption and multi-factor authentication.
 

Mr. Friendly

Well-known member
Joined
Nov 21, 2007
Messages
5,274
Location
British Columbia
Understanding what they are trying to protect is actually what you are supposed to do. I have done evaluations on systems that control HVAC that if it failed it would be in the Globe and Mail.

Chances are the VPN/FW edge appliance is more than safe enough if properly configured; and your energy is better spent adding a 2FA like Google Authenticator or Yubikey.
they want VPN and intrusion protection. I don't think they're actively being hacked or anything...but their mindset seems to be excessive when it actually does nothing for them. I don't want to recommend something that gives them a false sense of safety.

so essentially, minus all the updates / servies that come with security appliacnes, is there a difference in it's firewall vs a SMB VPN / FW router from Cisco?
 

JD

Moderator
Staff member
Joined
Jul 16, 2007
Messages
9,993
Location
Toronto, ON
Might be better served by something like Untangle's appliances (possibly with a license). I would suspect they're looking to keep both the WAN and LAN sides of the network secure, so an IDS could help in case somebody hijacked a thermostat or plugged in some malicious device.

You'd have to understand what their Sonicwall is doing today. And then understand whatever governing standards that they have to adhere to. PCI? DISA? CIS?
 

Herne

Well-known member
Joined
Jun 18, 2010
Messages
171
Not sure about the IPS or IDS- you are right to not give details about a security set-up but it sounds like they have an isolated segment with very limited resources [surveillance and HVAC systems]. Don't open attack surface with more traffic to this zone than you need. It sounds like right now they only need 1 port open on the public side, maybe a second one if it sends out alarms.

If that is the case, my first impulse is to keep it that way. Unless there are physical security issues- such as with wireless setup, all the traffic is through the device you intended to replace the Sonicwall.

So as JD says, what was missing? 2FA? Is the Sonicwall throwing all the alerts they want?
 
Top