Ubiquiti USG-PRO-4
-
A firewall is not a UTM
-
No matter how "advanced" a firewall feature is, that would not suggest UTM. UTM is Layer 7 inspection and security. That's not what this does, this is a layer 4 device. I'm sure their advanced firewall features are just Cisco-like level firewall features as you would expect in an enterprise firewall.
-
@FATeknollogee said:
They sure do call it a firewall
No, they call it a router. They just say that their router also has firewall features. Semantics, but they are not promoting it as a special purpose firewall, it is an gateway router (edge router) just like Cisco, Juniper and similar have as their bread and butter devices. All routers have firewall features. But are sold with the intent of being primarily firewalls (like home devices) and good ones are sold as routers because their purpose is the outer edge of an enterprise network (like rack mount Cisco, Juniper, AdTran, Ubiquiti, etc.)
-
That's why I was asking if it had some "UTM" vs being a straight up firewall
-
@FATeknollogee said:
That's why I was asking if it had some "UTM" vs being a straight up firewall
It's a standard router. It's in no way a UTM. It just has the firewall features and exposure of them for control that are intrinsic to the way that a router works.
-
So... "not a UTM" should always translate into "exactly the device that you want." Definitely once you get to a product range like this, UTMs are a thing of the past. With rare exception, UTMs are little company products. Enterprises use enterprise routers, like this, on their network edge.
-
That baby does L3 routing at 4Gb/s wire speed. This is not a system that is playing around.
-
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
-
@scottalanmiller said:
That baby does L3 routing at 4Gb/s wire speed. This is not a system that is playing around.
You're saying this USG-PRO-4 performs real good (that might be incorrect grammar)
-
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
Generally, nothing. UTM devices are mostly hype. Some really high end ones, like Palo Alto, are quite good. But they are incredibly costly to be able to do that. It requires a lot of special software and tons of blazing fast hardware to inspect a serious WAN connection in real time.
What UTM features are you seeking? On the fly malware detection is awesome, but I've never heard of it protecting someone. AV on individual machines is the normal approach.
-
@FATeknollogee said:
You're saying this USG-PRO-4 performs real good (that might be incorrect grammar)
Performs really well, yes. Ubiquiti's claim to fame is their incredibly high throughput. Their $100 starter router is faster than a $3,000 Cisco while having more features.
-
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
-
@scottalanmiller said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
Generally, nothing. UTM devices are mostly hype. Some really high end ones, like Palo Alto, are quite good. But they are incredibly costly to be able to do that. It requires a lot of special software and tons of blazing fast hardware to inspect a serious WAN connection in real time.
What UTM features are you seeking? On the fly malware detection is awesome, but I've never heard of it protecting someone. AV on individual machines is the normal approach.
Was just trying to feel the "temperature" of what folks are using.
Like you said, this box on the edge + AV (at the client) should be sufficient -
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
-
@FATeknollogee said:
Was just trying to feel the "temperature" of what folks are using.
AV on boxes is the big one. If you need web security then a "post firewall" web proxy and filter would be good, this could be Squid, Websense or something like that.
Email we have filtered by the email host, so those UTM features are unique to shops running email in house and not having external filtering which is not advised, even for people who need on premises email the filtering should be hosted.
Anyone who makes a good UTM will make an even better non-UTM where the firewall sites beyond it and it does additional inspection inside of the network. But pretty much my rule of thumb is... if you aren't putting in Palo Alto, don't waste your time. Most everything less than that is not worthwhile and will just add complications and cost without real benefit.
-
@FATeknollogee said:
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
Squid Proxy, Websense, DansGuardian. Run these on their own VM and you can tune them to meet your performance requirements, this is much harder when running a UTM as you are limited by the hardware and artificial vendor limitations.
-
@FATeknollogee said:
AV protection / Content filtering
Yup. AV at the firewall is definitely nice but nearly impossible to do well. It has to be so fast or else it causes a major problem. We've seen 100Mb/s lines drop to 5Mb/s from trying to use a UTM on it.
Content Filtering, which I often advise to very carefully consider if it is going to be actually valuable or not, is far better handled by a dedicated device. I've been doing web filtering since the mid-1990s as it was one of my foci when I studied for my Windows certs and we even ran it in house (meaning in MY HOUSE) and loved it. But you don't want it in a UTM, to do it well you need a lot of flexibility, tons of speed, total control and you will want to cache like crazy which is something UTMs cannot do well due to hardware limitations.
-
@coliver said:
@FATeknollogee said:
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
Squid Proxy, Websense, DansGuardian. Run these on their own VM and you can tune them to meet your performance requirements, this is much harder when running a UTM as you are limited by the hardware and artificial vendor limitations.
Add SSDs, aggressive caches, lots of memory and for less cost than a UTM you can accelerate a lot of the web content to GigE speeds, too!
-
I'm not sure about AV protection. You will catch most of that with a Squid Proxy/content filter, not sure how you would go about it without impacting the speed of traffic.
-
@scottalanmiller said:
@coliver said:
@FATeknollogee said:
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
Squid Proxy, Websense, DansGuardian. Run these on their own VM and you can tune them to meet your performance requirements, this is much harder when running a UTM as you are limited by the hardware and artificial vendor limitations.
Add SSDs, aggressive caches, lots of memory and for less cost than a UTM you can accelerate a lot of the web content to GigE speeds, too!
How much of that is disk sensitive? My guess is that the processor and memory would be doing 99% of the work. Or does it do a lookup to disk whenever a request comes in?