Firewalls, the good, the bad, and the ugly.
-
@bigbear I only have a single USG in the wild. It is not a device I would actually deploy to most places.
The one I have out there is in a very small stand alone business. The USG runs EdgeOS under the hood, but you have no direct access to it. It onyl works through the Controller. Specific customization can only be done by creating a special text file and putting it in a specific location.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
I haven't spoken with management about the layer 7 security features that can be had on firewalls yet. The device we are moving away from (pfSense) is essentially a layer 4 device. So far the requirements we have talked about have been around reliability and HA. Though, I know that security is important to them, I wasn't planning on getting into the details about the security features of layer 7 firewalls until I had proposals to put in front of them (though I have mentioned one cool feature the PAs have). Right now, I'm trying to decide which firewalls to include in that round-up. At the moment, from what I've heard here, we'll probably be talking about SW, Ubiquity, and PA. My experience with SW has been like yours. Yes, you do have to change some settings to configure them right, but once in place, they've been fairly stable for me. On the other hand, if Ubiquity has a good firewall, I'm open to that possibility as well. And if we can spend the money for it, the PAs definitely get my vote.
That's kind of how I work. If I need a UTM, get PA. If you don't need a UTM, get Ubiquiti.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
@Tim_G, @scottalanmiller, looking at their website, it looks like Ubiquity doesn't offer any NGFW features like DPI or filtering. Is that correct? Or am I missing something? (Not that that would rule them out, just making sure I know what they are.)
No, it is just a firewall, not a UTM.
-
Cool. We'll definitely consider them. I appreciate your recommendations.
And @bigbear, thanks for that... um... "not slight". I'm not going into this blind. I've used PA, ASA, and SW before (but not all very recently). I recognize that asking questions like this can make me come off as a noob, but that I am not. I do like having a forum where I can bounce ideas off others. Unlike some of you, I don't interact a ton with other IT professionals (my currently company only has one other guy), and so sometimes I feel a little siloed. As such, I came here to get some feedback on decisions I have to make that will have a lasting effect on the company I work for. Please don't assume that because I seek and value your opinions that I lack in experience. I just like to make sure I have good information before I jump all in. Thanks.
-
@scottalanmiller Ubiquiti does have DPI but not DPI-SSL
https://help.ubnt.com/hc/en-us/articles/204951104-EdgeRouter-Deep-Packet-Inspection-Engine-for-EdgeRouter -
@dbeato said in Firewalls, the good, the bad, and the ugly.:
@scottalanmiller Ubiquiti does have DPI but not DPI-SSL
https://help.ubnt.com/hc/en-us/articles/204951104-EdgeRouter-Deep-Packet-Inspection-Engine-for-EdgeRouterThis type of DPI is for reference, this is not for UTM.
Any device that sees packets can look at it if so desired. -
@bj said in Firewalls, the good, the bad, and the ugly.:
Unlike some of you, I don't interact a ton with other IT professionals (my currently company only has one other guy), and so sometimes I feel a little siloed.
I'm the outlier here. Most everyone here only runs into loads of IT pros here or in similar forums. The majority here don't work with lots of others in the technical arena. So you are in good company.
-
@bj yeah it's just that you didn't list anything specific that would make me think Palo Alto would bring anything to the table for you. They will still sell you."
I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence on my first post I got a little but hurt over @JaredBusch but now I prefer it
I'm at the point where I would believe more in a firewall + hosted security service like webroot. But I don't deal with anything outside of connectivity and backend network stuff on a.l daily basis.
-
@bigbear said in Firewalls, the good, the bad, and the ugly.:
I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence on my first post I got a little but hurt over @JaredBusch but now I prefer it
LOL, it's true though.
-
@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:
@bigbear said in Firewalls, the good, the bad, and the ugly.:
I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence on my first post I got a little but hurt over @JaredBusch but now I prefer it
LOL, it's true though.
For the record, I went back through your profile (thank god you only have 250ish posts) and found your first post. It was not that one. I do recall the thread, but I would have to spend more time digging through your profile to find the thread in question.
-
@bigbear, no worries, I understood what you were trying to say. I just wanted to clarify why I was asking. The only firewalls that we've spoken about here that I haven't had experience with are the ubiquities, and honestly, I hadn't even heard of them until this conversation. But that's precisely why I wanted to have this conversation. I wanted to hear what I didn't know, and I did.
In regards to PAs, there were a few features I really liked when I used them. 1) The applications. I loved how the PAs could detect if somebody was trying to pass traffic through a port that wasn't what the port was opened for. No, I personally haven't seen that stop any huge threats, but it at least closed a theoretical gap in firewall logic for me, that I may open up certain ports on the firewalls, but I have no guarantee that what I'm opening them for is what they will be used for. And 2) The stats page is really quite impressive. I love that I can see what traffic is going to china, etc. This type of information, if regularly monitored, could easily help identify traffic that is out of the norm. No, it isn't the only place you could get that type information, but we didn't have anything else set up for that, so for us it was. And 3) The config audit is very nice. I love being able to look back in the config to find who changed a certain setting and when. It's always been a pet peeve of mine when I know I didn't change something on the firewall, and I don't know who to ask about it. And sometimes, everyone denies it anyway. It's great to be able to pin down a change to a person and a time. It really makes the firewall audits required by PCI a lot easier too. If nothing has changed, you can prove it, and you don't have to look through every single setting, just in case. Or if only one setting was changed, you can see that, and then you are done. It made auditing easy.
I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features. My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit. The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features.
Ubiquities are firewalls, not UTMs, they are not supposed to have those features.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit. The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best.
Ubiquiti runs EdgeOS which was forked from Vyatta which is the Brocade code base. I've always found the Vyatta family configs (Vyatta, EdgeOS and VyOS) pretty easy to read.
-
@bj you need to figure out what you want. You are talking about complete opposite ends of the spectrum (PA and SW UTM) and actually asked about something (firewalls) completely not what you are talking about.
You asked for firewall information. You were given some.
But you are repeatedly ignoring everything said and talking about UTM devices. UTM devices are not firewalls. They are UTM devices. Yes, a UTM device includes a firewall as part of the over all device, but it is only there as part of the UTM. It is not designed to stand on its own as a FW (though it can of course).
On top of talking about something other than what you asked about, you are also talking about things on two completely opposite ends of the spectrum. More than one person here has clearly told you that PA devices are awesome, but belong in a very small market.
What they are nicely saying is that if you have to ask the question, then you don't need the damned thing.Now if you really do need a PA, then you should not even be considering a SW. They absolutely cannot come close to the quality and features of a PA.
Finally, if you want to talk about UTM solutions instead of firewalls, then retitle your post or make a new one.
-
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
Summary:
For Firewalls: Ubiquiti for nearly all use cases.
For UTMs: Palo Alto for nearly all use cases. -
Agreed. Thanks.
-
@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:
@bj said in Firewalls, the good, the bad, and the ugly.:
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
Summary:
For Firewalls: Ubiquiti for nearly all use cases.
For UTMs: Palo Alto for nearly all use cases.Speaking of, the new client I am going to do an analysis for this week has PA gear.
-
@JaredBusch said in Firewalls, the good, the bad, and the ugly.:
@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:
@bj said in Firewalls, the good, the bad, and the ugly.:
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
Summary:
For Firewalls: Ubiquiti for nearly all use cases.
For UTMs: Palo Alto for nearly all use cases.Speaking of, the new client I am going to do an analysis for this week has PA gear.
nice
-
I'm working on switching away from Cisco ASAs to Juniper SRXs. I was actually surprised by how inexpensive the Junipers were relative to Cisco. JunOS is proprietary, but it is very readable, and they learned a lot from seeing how IOS does things poorly (oh how I love rollback 0). It is based on FreeBSD.