UniFi Home Lab vs Campus

dafyre

We have filtering here, but it's pretty much wide open except for a few specific things.

We do have some mighty loose traffic shaping happening here at my current job.

coliver

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

That is... for the most part correct. We don't really do any filtering outside of known malicious sites.

DustinB3403

@scottalanmiller said in UniFi Home Lab vs Campus:

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

Good point. Net neutrality and all that.

Yea at the time I didn't think anything about it, this was ~2005 so it very well could've been. . . I think it was more tied to state law about the use of taxpayer money for college and some odd set of rules.

DustinB3403

@coliver said in UniFi Home Lab vs Campus:

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

That is... for the most part correct. We don't really do any filtering outside of known malicious sites.

Legal use simply put, wasn't blocked. Malicious content (virus etc) was of course.

scottalanmiller

@dustinb3403 said in UniFi Home Lab vs Campus:

@coliver said in UniFi Home Lab vs Campus:

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

That is... for the most part correct. We don't really do any filtering outside of known malicious sites.

Legal use simply put, wasn't blocked. Malicious content (virus etc) was of course.

Right, there is a simply line there.

DustinB3403

The big reason I remember this as "being the way things were" was a buddy who lived at the on-campus SUNY dorms got a letter asking his flat to stop downloading so much and some laws about it. Simply asked that "they" reduce their usage, but that they couldn't actually do anything legally to stop him.

That is until his dorm-mate started torrenting movies. . .

Then they stepped in.

dafyre

@dustinb3403 said in UniFi Home Lab vs Campus:

The big reason I remember this as "being the way things were" was a buddy who lived at the on-campus SUNY dorms got a letter asking his flat to stop downloading so much and some laws about it. Simply asked that "they" reduce their usage, but that they couldn't actually do anything legally to stop him.

That is until his dorm-mate started torrenting movies. . .

Then they stepped in.

Yepp. We get 3 or 4 notices a week with DCMAs and threats of legal actions if we don't stop the devices from downloading illegal movies.... Networking guys step in and educate user before allowing their devices back online.

StorageNinja

@markferron said in UniFi Home Lab vs Campus:

@dustinb3403 Awesome, thank you very much. Our current security gateway, Meraki MX400, was going to be changed out but the costs of license renewal is far cheaper than purchasing the Palo Alto I was looking at , bummer.

You looked at running PA in a VM? It's a lot cheaper.

scottalanmiller

@storageninja said in UniFi Home Lab vs Campus:

@markferron said in UniFi Home Lab vs Campus:

@dustinb3403 Awesome, thank you very much. Our current security gateway, Meraki MX400, was going to be changed out but the costs of license renewal is far cheaper than purchasing the Palo Alto I was looking at , bummer.

You looked at running PA in a VM? It's a lot cheaper.

Also a much better design! Enterprise security, rather than UTM.

Markferron

You looked at running PA in a VM? It's a lot cheaper.

No I haven't! But I will now. Thanks.

scottalanmiller

@markferron said in UniFi Home Lab vs Campus:

You looked at running PA in a VM? It's a lot cheaper.

No I haven't! But I will now. Thanks.

This is essentially what @JaredBusch and I are always recommending. Sure, we might be a little more cautious about whether you need all this layer 7 stuff or not, is it really necessary. But neither of us is saying that it's a bad idea, the thing that we keep harping on as a ridiculous near-"scam" level problem is the UTM model of shoving all these services into the firewall where they do not belong because it is a risk and expensive and violates very basic best practices that have been around for forever. It's the Windows SBS model taken to networking.

dafyre

@scottalanmiller said in UniFi Home Lab vs Campus:

@markferron said in UniFi Home Lab vs Campus:

You looked at running PA in a VM? It's a lot cheaper.

No I haven't! But I will now. Thanks.

This is essentially what @JaredBusch and I are always recommending. Sure, we might be a little more cautious about whether you need all this layer 7 stuff or not, is it really necessary. But neither of us is saying that it's a bad idea, the thing that we keep harping on as a ridiculous near-"scam" level problem is the UTM model of shoving all these services into the firewall where they do not belong because it is a risk and expensive and violates very basic best practices that have been around for forever. It's the Windows SBS model taken to networking.

Would it be worth taking a look at running a UBNT Router and a separate device for Application Filtering?

scottalanmiller

@dafyre said in UniFi Home Lab vs Campus:

@scottalanmiller said in UniFi Home Lab vs Campus:

@markferron said in UniFi Home Lab vs Campus:

You looked at running PA in a VM? It's a lot cheaper.

No I haven't! But I will now. Thanks.

This is essentially what @JaredBusch and I are always recommending. Sure, we might be a little more cautious about whether you need all this layer 7 stuff or not, is it really necessary. But neither of us is saying that it's a bad idea, the thing that we keep harping on as a ridiculous near-"scam" level problem is the UTM model of shoving all these services into the firewall where they do not belong because it is a risk and expensive and violates very basic best practices that have been around for forever. It's the Windows SBS model taken to networking.

Would it be worth taking a look at running a UBNT Router and a separate device for Application Filtering?

There are two scenarios that cover 99% of cases. One is "it's not worth doing anything at layer 7", the other is "layer 7 is needed so we need a separate device for application filtering." The thing that essentially never makes sense is the UTM where you do "security badly". Bad security isn't security.