ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Firewalls, the good, the bad, and the ugly.

    Scheduled Pinned Locked Moved IT Discussion
    firewallpfsenseasasonicwallpalo altosecurityubntubiquiti
    66 Posts 15 Posters 12.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bjB
      bj
      last edited by

      @scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

      With rare exception, the only firewall I recommend is Ubiquiti.

      I haven't used Ubiquiti for firewalls before. Why such a high recommendation over the competition? What do you like about them?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @bj
        last edited by

        @bj said in Firewalls, the good, the bad, and the ugly.:

        @scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

        With rare exception, the only firewall I recommend is Ubiquiti.

        I haven't used Ubiquiti for firewalls before. Why such a high recommendation over the competition? What do you like about them?

        Higher quality, far better performance, tiny fraction of the price, more trustworthy vendor, open source... what's not to like? $100 for a unit that beats the pants off of a $3,000 ASA?

        1 Reply Last reply Reply Quote 2
        • scottalanmillerS
          scottalanmiller
          last edited by

          There are a number of issues. One is that low end "firewall" vendors are normally garbage. SonicWall, Fortinet, Cisco... they aren't just mediocre, they are actively bad. None of those would I do business with, literally, they aren't vendors I would work with. And their gear has all been problematic and their cost is outrageous.

          There are okay vendors in this space, but that's as good as they get. Ubiquiti and Palo Alto are really the only two stand out vendors, Ubiquiti in the firewall space and PA in the UTM space.

          1 Reply Last reply Reply Quote 3
          • bjB
            bj
            last edited by

            ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @bj
              last edited by

              @bj said in Firewalls, the good, the bad, and the ugly.:

              ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?

              What's a "good" experience? We've found them to be buggy and temperamental and not cost effective. In IT, anything that isn't cost effective is a failure. Like an investment that loses money.

              1 Reply Last reply Reply Quote 2
              • scottalanmillerS
                scottalanmiller
                last edited by

                In the VoIP space, it's not uncommon to tell customers that it is cheaper to replace a SonicWall with a Ubiquiti to improve your network and fix issues than it is just to tweak the SW that is already there to get it to work. You can replace a SW for less than you can manage one.

                1 Reply Last reply Reply Quote 2
                • bjB
                  bj
                  last edited by

                  Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • s.hacklemanS
                    s.hackleman
                    last edited by

                    I used to use Watchguard and was happy with the results, but somewhat pricey.

                    1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @bj
                      last edited by

                      @bj said in Firewalls, the good, the bad, and the ugly.:

                      Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.

                      It's important to note that the run ins are mostly because their defaults are broken for the VoIP space (they actually put in options that outright break VoIP traffic and turn them on by default!!) and I work in that space often, and the other major issues are in poor documentation and hidden featuers. SW isn't "bad", but since it costs more than Ubiquiti and doesn't work "as well", in business terms that's a failure.

                      That would be like if your Ford cost more than your Ferrari. It doesn't mean the Ford becomes worse, but at that price, it's insane to ever buy it and choosing it wouldn't be a good business option. It makes sense because it's cost effective.

                      1 Reply Last reply Reply Quote 2
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        SW are problems often enough, though, that when talking to people with VoIP audio issues, the first question we always ask is "you have a SonicWall, don't you" and something like 90% of the time, VoIP networking issues have been because they used a SonicWall. And it's always fixable, but I don't trust their engineers as they're clearly not capable of handling the basics.

                        1 Reply Last reply Reply Quote 3
                        • bjB
                          bj
                          last edited by

                          So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
                          https://en.wikipedia.org/wiki/Ubiquiti_Networks
                          "In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

                          While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

                          Did you run into this? Was it as bad as it sounds?

                          travisdh1T 1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch
                            last edited by JaredBusch

                            I hate having a UTM on my firewall.

                            If you want a UTM, then setup something inside your network and properly setup your workstations to proxy through it.

                            I also generally dislike UTM in the first place, but some people just have to have it.

                            My number one router recommendation for any SMB is the Ubiquiti EdgeMax Router LITE (ERL).

                            For people that absolutely require paying stupid money for UTM-esque features, I will tell them to go with WatchGuard, but I can also tell you I have zero clients that went that route.

                            bjB 1 Reply Last reply Reply Quote 1
                            • JaredBuschJ
                              JaredBusch
                              last edited by

                              @Mods please add tags.

                              1 Reply Last reply Reply Quote 0
                              • bjB
                                bj @JaredBusch
                                last edited by

                                @JaredBusch With a recommendation like that, I can't believe none of them chose UTM! 😛

                                JaredBuschJ 1 Reply Last reply Reply Quote 0
                                • bjB
                                  bj
                                  last edited by

                                  @JaredBusch, but I hear you. UTM definitely adds complications to the network, and with complication comes potential for problems.

                                  1 Reply Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch @bj
                                    last edited by gjacobse

                                    @bj said in Firewalls, the good, the bad, and the ugly.:

                                    @JaredBusch With a recommendation like that, I can't believe none of them chose UTM! 😛

                                    Clients get a client version of "that is a f***ing stupid idea"

                                    But you are posting here, so I assume that you are in IT and sugar coating shit among peers is one of the last things I do.

                                    1 Reply Last reply Reply Quote 2
                                    • bjB
                                      bj
                                      last edited by

                                      @JaredBusch, I appreciate that. I just thought it was funny.

                                      1 Reply Last reply Reply Quote 0
                                      • travisdh1T
                                        travisdh1 @bj
                                        last edited by

                                        @bj said in Firewalls, the good, the bad, and the ugly.:

                                        So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
                                        https://en.wikipedia.org/wiki/Ubiquiti_Networks
                                        "In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

                                        While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

                                        Did you run into this? Was it as bad as it sounds?

                                        Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.

                                        JaredBuschJ 1 Reply Last reply Reply Quote 1
                                        • JaredBuschJ
                                          JaredBusch @travisdh1
                                          last edited by

                                          @travisdh1 said in Firewalls, the good, the bad, and the ugly.:

                                          @bj said in Firewalls, the good, the bad, and the ugly.:

                                          So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
                                          https://en.wikipedia.org/wiki/Ubiquiti_Networks
                                          "In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

                                          While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

                                          Did you run into this? Was it as bad as it sounds?

                                          Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.

                                          Not exactly correct.

                                          Ubiquiti's issues revolved around their AirOS line of equipment. The EdgeMax line has never had any type of issue like that.

                                          I believe that AirOS was update to a new version and all the problems relate to an older version for discontinued hardware that Ubiquiti refused to backport and continue to support.

                                          1 Reply Last reply Reply Quote 2
                                          • ObsolesceO
                                            Obsolesce
                                            last edited by

                                            I agree the Ubiquity stuff is great for a basic firewall:

                                            https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf

                                            But if you want some of the advanced capabilities like gateway antivirus and such, SonicWALL has always been excellent in my own experience:

                                            https://www.sonicwall.com/products/nsa-4600/

                                            PenguinWranglerP 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 1 / 4
                                            • First post
                                              Last post