ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Firewalls, the good, the bad, and the ugly.

    Scheduled Pinned Locked Moved IT Discussion
    firewallpfsenseasasonicwallpalo altosecurityubntubiquiti
    66 Posts 15 Posters 12.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ObsolesceO
      Obsolesce
      last edited by

      I agree the Ubiquity stuff is great for a basic firewall:

      https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf

      But if you want some of the advanced capabilities like gateway antivirus and such, SonicWALL has always been excellent in my own experience:

      https://www.sonicwall.com/products/nsa-4600/

      PenguinWranglerP 1 Reply Last reply Reply Quote 1
      • dbeatoD
        dbeato @bj
        last edited by

        @bj said in Firewalls, the good, the bad, and the ugly.:

        h security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?

        What are your security requirements? I have been a big proponent of Sonicwalls as I use them a lot and have been great for me. I do have to agree in terms of the VOIP where the "Enable Consistent NAT" is not checked on the Sonicwall and UDP timeout to 30 seconds by default causes problems with calls.

        I use the Security Gateway Service subscription for GAV, Content Filtering and App Control. You can do DPI-SSL and so forth but again that all depends on the security requirements.

        1 Reply Last reply Reply Quote 1
        • bjB
          bj
          last edited by

          I haven't spoken with management about the layer 7 security features that can be had on firewalls yet. The device we are moving away from (pfSense) is essentially a layer 4 device. So far the requirements we have talked about have been around reliability and HA. Though, I know that security is important to them, I wasn't planning on getting into the details about the security features of layer 7 firewalls until I had proposals to put in front of them (though I have mentioned one cool feature the PAs have). Right now, I'm trying to decide which firewalls to include in that round-up. At the moment, from what I've heard here, we'll probably be talking about SW, Ubiquity, and PA. My experience with SW has been like yours. Yes, you do have to change some settings to configure them right, but once in place, they've been fairly stable for me. On the other hand, if Ubiquity has a good firewall, I'm open to that possibility as well. And if we can spend the money for it, the PAs definitely get my vote.

          bigbearB scottalanmillerS 2 Replies Last reply Reply Quote 0
          • bjB
            bj
            last edited by

            @Tim_G, @scottalanmiller, looking at their website, it looks like Ubiquity doesn't offer any NGFW features like DPI or filtering. Is that correct? Or am I missing something? (Not that that would rule them out, just making sure I know what they are.)

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • bigbearB
              bigbear @bj
              last edited by

              I gotta ask.... Has anyone ever even heard about a major virus that spread through the internet, attacking and penetrating your everyday routers and basic firewalls? And DPI/SPI is not worth much if you aren't configuring your router to do anything with that info.

              Let your firewall/router do its job and if you need more features it falls to a proxy server or outside service like webroot.

              I much preferred M0n0wall to PFSENSE, but since Manuel is busy doing other things everyone had to move to PFSENSE. I disagreed that the project had run its course.

              A Palo Alto device is not for you if you are posting these kinds of questions. And that's not a slight to you. PA customers have specific issues (like being targeted for attack) that brought them to pay that sticker price.

              Sonicwall MAYBE was a good option 10 years ago. 99% of your SonicWALL guys use it because they have been using it for 10+ years and you cant really argue with them about it. Its familiar but it offers zero real benefits over a Ubiquiti Edgemax.

              Your Ubiquitui USG can tie into a Unifi controller you could host on Vultr. So you get a self hosted Meraki experience. Last I evaluated USG had some bugs vs Edgemax so I can only speak to the latter. I would assume those issues are resolved by now. @scottalanmiller or @JaredBusch would know.

              JaredBuschJ 1 Reply Last reply Reply Quote 1
              • JaredBuschJ
                JaredBusch @bigbear
                last edited by

                @bigbear I only have a single USG in the wild. It is not a device I would actually deploy to most places.

                The one I have out there is in a very small stand alone business. The USG runs EdgeOS under the hood, but you have no direct access to it. It onyl works through the Controller. Specific customization can only be done by creating a special text file and putting it in a specific location.

                stacksofplatesS 1 Reply Last reply Reply Quote 2
                • scottalanmillerS
                  scottalanmiller @bj
                  last edited by

                  @bj said in Firewalls, the good, the bad, and the ugly.:

                  I haven't spoken with management about the layer 7 security features that can be had on firewalls yet. The device we are moving away from (pfSense) is essentially a layer 4 device. So far the requirements we have talked about have been around reliability and HA. Though, I know that security is important to them, I wasn't planning on getting into the details about the security features of layer 7 firewalls until I had proposals to put in front of them (though I have mentioned one cool feature the PAs have). Right now, I'm trying to decide which firewalls to include in that round-up. At the moment, from what I've heard here, we'll probably be talking about SW, Ubiquity, and PA. My experience with SW has been like yours. Yes, you do have to change some settings to configure them right, but once in place, they've been fairly stable for me. On the other hand, if Ubiquity has a good firewall, I'm open to that possibility as well. And if we can spend the money for it, the PAs definitely get my vote.

                  That's kind of how I work. If I need a UTM, get PA. If you don't need a UTM, get Ubiquiti.

                  1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @bj
                    last edited by

                    @bj said in Firewalls, the good, the bad, and the ugly.:

                    @Tim_G, @scottalanmiller, looking at their website, it looks like Ubiquity doesn't offer any NGFW features like DPI or filtering. Is that correct? Or am I missing something? (Not that that would rule them out, just making sure I know what they are.)

                    No, it is just a firewall, not a UTM.

                    dbeatoD 1 Reply Last reply Reply Quote 1
                    • bjB
                      bj
                      last edited by

                      Cool. We'll definitely consider them. I appreciate your recommendations.

                      And @bigbear, thanks for that... um... "not slight". 😉 I'm not going into this blind. I've used PA, ASA, and SW before (but not all very recently). I recognize that asking questions like this can make me come off as a noob, but that I am not. I do like having a forum where I can bounce ideas off others. Unlike some of you, I don't interact a ton with other IT professionals (my currently company only has one other guy), and so sometimes I feel a little siloed. As such, I came here to get some feedback on decisions I have to make that will have a lasting effect on the company I work for. Please don't assume that because I seek and value your opinions that I lack in experience. I just like to make sure I have good information before I jump all in. Thanks.

                      scottalanmillerS bigbearB 2 Replies Last reply Reply Quote 0
                      • dbeatoD
                        dbeato @scottalanmiller
                        last edited by

                        @scottalanmiller Ubiquiti does have DPI but not DPI-SSL 🙂
                        https://help.ubnt.com/hc/en-us/articles/204951104-EdgeRouter-Deep-Packet-Inspection-Engine-for-EdgeRouter

                        JaredBuschJ 1 Reply Last reply Reply Quote 1
                        • JaredBuschJ
                          JaredBusch @dbeato
                          last edited by

                          @dbeato said in Firewalls, the good, the bad, and the ugly.:

                          @scottalanmiller Ubiquiti does have DPI but not DPI-SSL 🙂
                          https://help.ubnt.com/hc/en-us/articles/204951104-EdgeRouter-Deep-Packet-Inspection-Engine-for-EdgeRouter

                          This type of DPI is for reference, this is not for UTM.
                          Any device that sees packets can look at it if so desired.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @bj
                            last edited by

                            @bj said in Firewalls, the good, the bad, and the ugly.:

                            Unlike some of you, I don't interact a ton with other IT professionals (my currently company only has one other guy), and so sometimes I feel a little siloed.

                            I'm the outlier here. Most everyone here only runs into loads of IT pros here or in similar forums. The majority here don't work with lots of others in the technical arena. So you are in good company.

                            1 Reply Last reply Reply Quote 1
                            • bigbearB
                              bigbear @bj
                              last edited by

                              @bj yeah it's just that you didn't list anything specific that would make me think Palo Alto would bring anything to the table for you. They will still sell you."

                              I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence 🙂 on my first post I got a little but hurt over @JaredBusch but now I prefer it

                              I'm at the point where I would believe more in a firewall + hosted security service like webroot. But I don't deal with anything outside of connectivity and backend network stuff on a.l daily basis.

                              scottalanmillerS 1 Reply Last reply Reply Quote 2
                              • scottalanmillerS
                                scottalanmiller @bigbear
                                last edited by

                                @bigbear said in Firewalls, the good, the bad, and the ugly.:

                                I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence 🙂 on my first post I got a little but hurt over @JaredBusch but now I prefer it

                                LOL, it's true though.

                                JaredBuschJ 1 Reply Last reply Reply Quote 1
                                • JaredBuschJ
                                  JaredBusch @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

                                  @bigbear said in Firewalls, the good, the bad, and the ugly.:

                                  I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence 🙂 on my first post I got a little but hurt over @JaredBusch but now I prefer it

                                  LOL, it's true though.

                                  For the record, I went back through your profile (thank god you only have 250ish posts) and found your first post. It was not that one. I do recall the thread, but I would have to spend more time digging through your profile to find the thread in question.

                                  1 Reply Last reply Reply Quote 0
                                  • bjB
                                    bj
                                    last edited by

                                    @bigbear, no worries, I understood what you were trying to say. I just wanted to clarify why I was asking. The only firewalls that we've spoken about here that I haven't had experience with are the ubiquities, and honestly, I hadn't even heard of them until this conversation. But that's precisely why I wanted to have this conversation. I wanted to hear what I didn't know, and I did.

                                    In regards to PAs, there were a few features I really liked when I used them. 1) The applications. I loved how the PAs could detect if somebody was trying to pass traffic through a port that wasn't what the port was opened for. No, I personally haven't seen that stop any huge threats, but it at least closed a theoretical gap in firewall logic for me, that I may open up certain ports on the firewalls, but I have no guarantee that what I'm opening them for is what they will be used for. And 2) The stats page is really quite impressive. I love that I can see what traffic is going to china, etc. This type of information, if regularly monitored, could easily help identify traffic that is out of the norm. No, it isn't the only place you could get that type information, but we didn't have anything else set up for that, so for us it was. And 3) The config audit is very nice. I love being able to look back in the config to find who changed a certain setting and when. It's always been a pet peeve of mine when I know I didn't change something on the firewall, and I don't know who to ask about it. And sometimes, everyone denies it anyway. It's great to be able to pin down a change to a person and a time. It really makes the firewall audits required by PCI a lot easier too. If nothing has changed, you can prove it, and you don't have to look through every single setting, just in case. Or if only one setting was changed, you can see that, and then you are done. It made auditing easy.

                                    I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features. My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit. 🙂 The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best.

                                    scottalanmillerS JaredBuschJ 3 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @bj
                                      last edited by

                                      @bj said in Firewalls, the good, the bad, and the ugly.:

                                      I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features.

                                      Ubiquities are firewalls, not UTMs, they are not supposed to have those features.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @bj
                                        last edited by

                                        @bj said in Firewalls, the good, the bad, and the ugly.:

                                        My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit. 🙂 The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best.

                                        Ubiquiti runs EdgeOS which was forked from Vyatta which is the Brocade code base. I've always found the Vyatta family configs (Vyatta, EdgeOS and VyOS) pretty easy to read.

                                        1 Reply Last reply Reply Quote 1
                                        • JaredBuschJ
                                          JaredBusch @bj
                                          last edited by JaredBusch

                                          @bj you need to figure out what you want. You are talking about complete opposite ends of the spectrum (PA and SW UTM) and actually asked about something (firewalls) completely not what you are talking about.

                                          You asked for firewall information. You were given some.

                                          But you are repeatedly ignoring everything said and talking about UTM devices. UTM devices are not firewalls. They are UTM devices. Yes, a UTM device includes a firewall as part of the over all device, but it is only there as part of the UTM. It is not designed to stand on its own as a FW (though it can of course).

                                          On top of talking about something other than what you asked about, you are also talking about things on two completely opposite ends of the spectrum. More than one person here has clearly told you that PA devices are awesome, but belong in a very small market.
                                          What they are nicely saying is that if you have to ask the question, then you don't need the damned thing.

                                          Now if you really do need a PA, then you should not even be considering a SW. They absolutely cannot come close to the quality and features of a PA.

                                          Finally, if you want to talk about UTM solutions instead of firewalls, then retitle your post or make a new one.

                                          1 Reply Last reply Reply Quote 1
                                          • bjB
                                            bj
                                            last edited by

                                            Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.

                                            All the best.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 1 / 4
                                            • First post
                                              Last post