Barracuda NG Firewalls - Can They Replace My Barracuda 410 Web Filter?
-
This is related to my thread from last year (http://community.spiceworks.com/topic/1204753-replacing-traditional-firewalls-with-utm-appliances-how-do-you-know-it-s-time?page=3&source=year-in-review).
We are quickly approaching the Cisco ASA 5510 limit to have 10 ipsec peers because we keep adding sites. And since the 5505s at our remote sites are headed to end of life, it could be time to look at replacements. Cisco devices work well if configured properly, but I am wondering if there might be something better out there that can do the job and provide some additional features. I realize there is a cost to get those features. Cisco has newer models, but I want to make sure I am considering other vendors as well.
I looked at Sophos UTMs and remember that they have some measure of web filtering included. That's certainly an option we will consider.
I'd love to hear from anyone out there who is using the Barracuda NG series firewalls. I recently saw a demo of them and was both intrigued and impressed. I may see if I can do an evaluation. We have a Barracuda 410 web filter appliance at HQ, and I would love to get rid of the ASA 5510 and the Barracuda appliance and replace it with a single device (perhaps a Barracuda NG series firewall). I would then look to get the NG series firewalls at our remote sites for the ability to easily provision site-to-site tunnels, to provide a measure of web filtering to each location (at the granularity we need - block specific domains or regular expressions by user, ip, etc.), and to make our client and site-to-site VPNs operate a bit faster. These firewalls also allow a deeper level of QoS than what we have. To some extent I know the client VPNs are dependent on internet speed and saturation levels, but I don't believe our client or site-to-site VPNs move as fast as they could.
For IDS / IPS, we are using Arctic Wolf, and they do a great job of providing an extra set of hands in the security department. That portion is not necessarily something we must have in a firewall / gateway device.
And i know Barracuda has stellar support. They have always been responsive and very helpful on support calls.
I'd love to hear thoughts on the Barracuda firewalls and their web filtering capabilities. What made you choose Barracuda for your firewall? What made you decide you needed only this device and no additional web filter?
-
Barracuda have a terrible security reputation. Like Fortinet, but longer ago, they famously put intentional backdoors into their products, including their public facing firewall products, so that "anyone" that got access to the shared password would have permanent access to the systems. I would never use Barracuda personally, but could never recommend using them in any role involving security specifically and most especially firewalls.
-
I don't like the Unified Threat Management devices for the most part. Sure they pack lots of features in a single box. Thing is I can break out all the security stuff out onto different boxes and get a lot better idea of where problems actually are when things go sideways.
-
One consideration is doing web filtering behind the firewall. I am of the opinion that router and firewall functions go in the outward facing appliance, filtering and proxying go behind that at a different layer for security, performance and flexibility reasons.
I would look at Ubiquiti as a replacement for the Cisco and using something else, maybe continuing to use a Barracuda web filter, for the web filtering. Using a Barracuda in a position where it is secured by something more serious like the Ubiquiti would mean that it was protected from being blatantly opened to the outside world.
-
@NetworkNerd said:
To some extent I know the client VPNs are dependent on internet speed and saturation levels, but I don't believe our client or site-to-site VPNs move as fast as they could.
What you likely want there is inline compression, not something widely available. Riverbed is the leader for that.
-
@scottalanmiller said:
@NetworkNerd said:
To some extent I know the client VPNs are dependent on internet speed and saturation levels, but I don't believe our client or site-to-site VPNs move as fast as they could.
What you likely want there is inline compression, not something widely available. Riverbed is the leader for that.
I've heard of Silverpeak as a competitor in that space as well.
-
@travisdh1 said:
I don't like the Unified Threat Management devices for the most part. Sure they pack lots of features in a single box. Thing is I can break out all the security stuff out onto different boxes and get a lot better idea of where problems actually are when things go sideways.
@JaredBusch has said the same thing several times too. The UTM approach is a big sales push from vendors but I don't see it going well. I rarely see UTMs working well at the time of purchase and they have much higher lifetime costs and age much more quickly.
-
@scottalanmiller said:
One consideration is doing web filtering behind the firewall. I am of the opinion that router and firewall functions go in the outward facing appliance, filtering and proxying go behind that at a different layer for security, performance and flexibility reasons.
I would look at Ubiquiti as a replacement for the Cisco and using something else, maybe continuing to use a Barracuda web filter, for the web filtering. Using a Barracuda in a position where it is secured by something more serious like the Ubiquiti would mean that it was protected from being blatantly opened to the outside world.
How easy are the Ubiquiti firewalls for someone who isn't a CLI guru with Cisco and the like?
-
@NetworkNerd said:
How easy are the Ubiquiti firewalls for someone who isn't a CLI guru with Cisco and the like?
I'd say mediocre. They have a graphical interface but it isn't exactly a walk in the park. But it is easier than a Cisco CLI. The CLI on the VyOS on Ubiquiti is very similar to Cisco CLI, so the knowledge carries over. The GUI is always improving but is a bit confusing and not every single feature is exposed there.
-
@NetworkNerd said:
@scottalanmiller said:
One consideration is doing web filtering behind the firewall. I am of the opinion that router and firewall functions go in the outward facing appliance, filtering and proxying go behind that at a different layer for security, performance and flexibility reasons.
I would look at Ubiquiti as a replacement for the Cisco and using something else, maybe continuing to use a Barracuda web filter, for the web filtering. Using a Barracuda in a position where it is secured by something more serious like the Ubiquiti would mean that it was protected from being blatantly opened to the outside world.
How easy are the Ubiquiti firewalls for someone who isn't a CLI guru with Cisco and the like?
Go download the management app and look for yourself, Ubiquity provides all the management software for free. EdgeMAX download page
-
A huge upside to Ubiquit is that you could get one for home and work with the same features and interface in your home environment so that you can mess around and test things without needing to do it on the product system. @anonymous has the baby Ubiquiti at home which is around $50. I have the older smallest one which is around $90 and we travel with it to use wherever we go.
-
Another feature with Ubiquiti is the VPN connections are a breeze. If you have an ER on both ends you really only need to put in address, username, password, and type of connection and it figures it all out. Much easier than between Cisco and something else.
-
@johnhooks said:
Another feature with Ubiquiti is ...Much easier than ... Cisco....
FTFY
-
Love Ubiquity!
-
@NetworkNerd said:
@scottalanmiller said:
One consideration is doing web filtering behind the firewall. I am of the opinion that router and firewall functions go in the outward facing appliance, filtering and proxying go behind that at a different layer for security, performance and flexibility reasons.
I would look at Ubiquiti as a replacement for the Cisco and using something else, maybe continuing to use a Barracuda web filter, for the web filtering. Using a Barracuda in a position where it is secured by something more serious like the Ubiquiti would mean that it was protected from being blatantly opened to the outside world.
How easy are the Ubiquiti firewalls for someone who isn't a CLI guru with Cisco and the like?
For the ER-X and ERL, you simply
- pre-download the latest firmware
- plug in power
- plug in your laptop configured with 192.168.1.2 to eth0
- pop the web browser to 192.168.1.1.
- load the updated firmware
- reboot
- run the WAN+2LAN2 wizard to setup the router
- plug your internet into eth0
a. Reboot your cable modem if you have one of those because they lock to MAC address - plug your local switch into eth1
- win
-
@scottalanmiller said:
A huge upside to Ubiquit is that you could get one for home and work with the same features and interface in your home environment so that you can mess around and test things without needing to do it on the product system. @anonymous has the baby Ubiquiti at home which is around $50. I have the older smallest one which is around $90 and we travel with it to use wherever we go.
The ERX is the much better unit for a SOHO environment because of the built in switching chip.
The ERL is a 100% router. None of the ports have an onboard switch so if you bridge eth1 and eth2, you will lose performance there.
-
What do you use for client VPN connections to the EdgeRouters?
-
@NetworkNerd said:
What do you use for client VPN connections to the EdgeRouters?
The Windows clients work fine, L2TP.
-
@johnhooks said:
@NetworkNerd said:
What do you use for client VPN connections to the EdgeRouters?
The Windows clients work fine, L2TP.
Is the authentication using RADIUS, or are you setting up user accounts for client VPN access inside the EdgeRouter itself? I know Cisco works either way, but I was not sure about Ubiquiti.
-
You can use OpenVPN, too. For client connections.
