ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Arg! The money spent the month before I stated here.

    Scheduled Pinned Locked Moved IT Discussion
    119 Posts 9 Posters 8.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @wrx7m
      last edited by

      @wrx7m said in Arg! The money spent the month before I stated here.:

      I run a Sophos SG-210 here (for the past 2.5 years) and am gun shy on updates because I have seen them break more than they fix. I am seriously considering moving to ubnt next year. The interface on the 9.x UTM version is really easy to learn and use. I really only use a few features. Namely, the routing/firewall, gateway AV, proxy and IDS. I tried application control (for throttling Youtube) but it never worked correctly and that was when we only had a 10/10 Mbps connection. Now we have 150/150 so it is less of an issue.

      This is what I keep hearing... slow, expensive, and fragile.

      wrx7mW 1 Reply Last reply Reply Quote 1
      • wrx7mW
        wrx7m @scottalanmiller
        last edited by

        @scottalanmiller - Do the Ubiquiti Edge Routers have the network, host and service definitions approach to ACLs, like SonicWall, Sophos, etc?

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @wrx7m
          last edited by

          @wrx7m said in Arg! The money spent the month before I stated here.:

          @scottalanmiller - Do the Ubiquiti Edge Routers have the network, host and service definitions approach to ACLs, like SonicWall, Sophos, etc?

          NO, because it is not a IDS/IPS/UTM device.

          wrx7mW 1 Reply Last reply Reply Quote 2
          • wrx7mW
            wrx7m @JaredBusch
            last edited by

            @jaredbusch - I didn't think that those key features made the difference in terms of user interface and usability.

            JaredBuschJ DashrenderD 2 Replies Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @wrx7m
              last edited by

              @wrx7m said in Arg! The money spent the month before I stated here.:

              @jaredbusch - I didn't think that those key features made the difference in terms of user interface and usability.

              Key features? What key features? Those are fairly useless feature IMO.

              wrx7mW jmooreJ 2 Replies Last reply Reply Quote 1
              • DashrenderD
                Dashrender @wrx7m
                last edited by

                @wrx7m said in Arg! The money spent the month before I stated here.:

                @jaredbusch - I didn't think that those key features made the difference in terms of user interface and usability.

                Sure - but the definitions you listed do make a difference.

                i.e. Edge OS calls out ports and IPs, that's all.

                1 Reply Last reply Reply Quote 0
                • wrx7mW
                  wrx7m @JaredBusch
                  last edited by

                  @jaredbusch said in Arg! The money spent the month before I stated here.:

                  @wrx7m said in Arg! The money spent the month before I stated here.:

                  @jaredbusch - I didn't think that those key features made the difference in terms of user interface and usability.

                  Key features? What key features? Those are fairly useless feature IMO.

                  Only key in that you mentioned them, specifically, in response to my question.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @wrx7m
                    last edited by

                    @wrx7m said in Arg! The money spent the month before I stated here.:

                    @jaredbusch said in Arg! The money spent the month before I stated here.:

                    @wrx7m said in Arg! The money spent the month before I stated here.:

                    @jaredbusch - I didn't think that those key features made the difference in terms of user interface and usability.

                    Key features? What key features? Those are fairly useless feature IMO.

                    Only key in that you mentioned them, specifically, in response to my question.

                    You named IDS/IPS/UTM devices and asked if Ubiquiti was feature parity. I said no.

                    wrx7mW 1 Reply Last reply Reply Quote 0
                    • wrx7mW
                      wrx7m @JaredBusch
                      last edited by

                      @jaredbusch Right but my question was related to ACLs, not IDS/IPS.

                      S JaredBuschJ 2 Replies Last reply Reply Quote 0
                      • jmooreJ
                        jmoore @JaredBusch
                        last edited by

                        @jaredbusch said in Arg! The money spent the month before I stated here.:

                        @wrx7m said in Arg! The money spent the month before I stated here.:

                        @jaredbusch - I didn't think that those key features made the difference in terms of user interface and usability.

                        Key features? What key features? Those are fairly useless feature IMO.

                        Those features were popular in older devices right but not really needed in modern ones correct?

                        1 Reply Last reply Reply Quote 0
                        • S
                          StorageNinja Vendor @wrx7m
                          last edited by

                          @wrx7m said in Arg! The money spent the month before I stated here.:

                          @jaredbusch Right but my question was related to ACLs, not IDS/IPS.

                          Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...

                          wrx7mW travisdh1T 3 Replies Last reply Reply Quote -1
                          • wrx7mW
                            wrx7m @StorageNinja
                            last edited by wrx7m

                            @storageninja I don't have compliance requirements and I just asking about the definitions-based ACL because it makes sense and I prefer it over lines of IPs and networks.

                            1 Reply Last reply Reply Quote 0
                            • JaredBuschJ
                              JaredBusch @wrx7m
                              last edited by

                              @wrx7m said in Arg! The money spent the month before I stated here.:

                              @jaredbusch Right but my question was related to ACLs, not IDS/IPS.

                              Then you need to define what you are after. Of course the firewall uses rules. There is not a firewall in existence that does not.

                              Here are the firewall rules currently in my ERL at home.

                              jbusch@jared# show firewall 
                               all-ping enable
                               broadcast-ping disable
                               group {
                                   address-group Strongarm.io {
                                       address 54.174.40.213
                                       address 52.3.100.184
                                       description ""
                                   }
                               }
                               ipv6-receive-redirects disable
                               ipv6-src-route disable
                               ip-src-route disable
                               log-martians enable
                               name LAN_IN {
                                   default-action accept
                                   description "Wired and Wireless LAN to Internet"
                                   rule 2 {
                                       action reject
                                       description "Block Port 25"
                                       destination {
                                           port 25
                                       }
                                       log enable
                                       protocol tcp
                                   }
                               }
                               name LAN_LOCAL {
                                   default-action accept
                                   description "Wired and Wireless LAN to Router"
                               }
                               name WAN_IN {
                                   default-action drop
                                   description "WAN to internal"
                                   rule 10 {
                                       action accept
                                       description "Allow established/related"
                                       state {
                                           established enable
                                           related enable
                                       }
                                   }
                                   rule 20 {
                                       action drop
                                       description "Drop invalid state"
                                       state {
                                           invalid enable
                                       }
                                   }
                               }
                               name WAN_LOCAL {
                                   default-action drop
                                   description "WAN to router"
                                   rule 10 {
                                       action accept
                                       state {
                                           established enable
                                           related enable
                                       }
                                   }
                                   rule 20 {
                                       action drop
                                       log enable
                                       state {
                                           invalid enable
                                       }
                                   }
                                   rule 30 {
                                       action accept
                                       description "Allow Pings to Router"
                                       limit {
                                           burst 1
                                           rate 62/minute
                                       }
                                       log enable
                                       protocol icmp
                                   }
                                   rule 40 {
                                       action accept
                                       description "Allow IPSEC"
                                       ipsec {
                                           match-ipsec
                                       }
                                       log disable
                                       protocol all
                                       state {
                                           established disable
                                           invalid disable
                                           new enable
                                           related disable
                                       }
                                   }
                               }
                               name WAN_OUT {
                                   default-action accept
                                   description ""
                                   rule 1 {
                                       action accept
                                       description "Allows Strongarm.io DNS"
                                       destination {
                                           group {
                                               address-group Strongarm.io
                                           }
                                           port 53
                                       }
                                       log disable
                                       protocol udp
                                       state {
                                           established enable
                                           invalid disable
                                           new enable
                                           related disable
                                       }
                                   }
                                   rule 2 {
                                       action drop
                                       description "Block all DNS"
                                       destination {
                                           port 53
                                       }
                                       log enable
                                       protocol udp
                                       state {
                                           established enable
                                           invalid enable
                                           new enable
                                           related enable
                                       }
                                   }
                               }
                              
                              wrx7mW 1 Reply Last reply Reply Quote 1
                              • wrx7mW
                                wrx7m @JaredBusch
                                last edited by

                                @jaredbusch I know firewalls use rules. In Sophos and Sonicwall and others, I'm sure, you can define a host, network and service and call it something like ServerA and drag and drop the hosts/ip address, services and networks to create the rules.

                                JaredBuschJ S 2 Replies Last reply Reply Quote 0
                                • wrx7mW
                                  wrx7m @StorageNinja
                                  last edited by

                                  @storageninja said in Arg! The money spent the month before I stated here.:

                                  @wrx7m said in Arg! The money spent the month before I stated here.:

                                  @jaredbusch Right but my question was related to ACLs, not IDS/IPS.

                                  Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...

                                  The modern argument against proxy and IDS/IPS is that you have to set it up so that your proxy device is the man in the middle and decrypts and encrypts everything again.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 2
                                  • scottalanmillerS
                                    scottalanmiller @wrx7m
                                    last edited by

                                    @wrx7m said in Arg! The money spent the month before I stated here.:

                                    @storageninja said in Arg! The money spent the month before I stated here.:

                                    @wrx7m said in Arg! The money spent the month before I stated here.:

                                    @jaredbusch Right but my question was related to ACLs, not IDS/IPS.

                                    Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...

                                    The modern argument against proxy and IDS/IPS is that you have to set it up so that your proxy device is the man in the middle and decrypts and encrypts everything again.

                                    That was an old argument, too 🙂

                                    wrx7mW 1 Reply Last reply Reply Quote 0
                                    • wrx7mW
                                      wrx7m @scottalanmiller
                                      last edited by

                                      @scottalanmiller Right, but now almost everything is HTTPS.

                                      scottalanmillerS S 2 Replies Last reply Reply Quote 0
                                      • travisdh1T
                                        travisdh1 @StorageNinja
                                        last edited by

                                        @storageninja said in Arg! The money spent the month before I stated here.:

                                        @wrx7m said in Arg! The money spent the month before I stated here.:

                                        @jaredbusch Right but my question was related to ACLs, not IDS/IPS.

                                        Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...

                                        No compliance related things, yet at least.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @wrx7m
                                          last edited by

                                          @wrx7m said in Arg! The money spent the month before I stated here.:

                                          @scottalanmiller Right, but now almost everything is HTTPS.

                                          Oh, I see what you mean.

                                          1 Reply Last reply Reply Quote 0
                                          • JaredBuschJ
                                            JaredBusch @wrx7m
                                            last edited by

                                            @wrx7m said in Arg! The money spent the month before I stated here.:

                                            @jaredbusch I know firewalls use rules. In Sophos and Sonicwall and others, I'm sure, you can define a host, network and service and call it something like ServerA and drag and drop the hosts/ip address, services and networks to create the rules.

                                            An ACL provides rules applied to IP address and ports.

                                            What you are describing is not an ACL. It is a group or list of information applied to an ACL.

                                            In the VyOS/EdgeMax world, you can see an example in my router snippet above. I have a firewall group named Strongarm.io that is an address group of two addresses.

                                            That group is applied to rule 1 of ACL named WAN_OUT

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 1 / 6
                                            • First post
                                              Last post