Why I See UTMs As Generally Bad in the Current Market
-
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?
NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.
I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.
ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.
Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.
The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.
-
The difficulty with all of those things is handling encryption. That's long been a problem. One that is partially solved, but not fully. Even "solving it" creates problems.
NGFW has been a term for quite a while, but I don't like it. A firewall with DPI should just be called that, ideally. Not treated like it is a new magical thing. But... sales people.
-
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?
NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.
I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.
ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.
Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.
The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.
(╯°□°)╯︵ ┻━┻
-
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?
NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.
I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.
ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.
Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.
The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.
(╯°□°)╯︵ ┻━┻
Same as we've always been saying. Firewall is not the place for the "UTM pieces". They are better elsewhere, when needed.
It's that they are rarely needed, but sometimes.
When they are needed, in the firewall isn't the best place for them.It's not that the concepts are always bad, it's just how they are pushed way too often, and not in a good way to deploy them because it's not a good security practice to have them on the firewall.
-
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?
NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.
I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.
ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.
Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.
The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.
(╯°□°)╯︵ ┻━┻
Same as we've always been saying. Firewall is not the place for the "UTM pieces". They are better elsewhere, when needed.
It's that they are rarely needed, but sometimes.
When they are needed, in the firewall isn't the best place for them.It's not that the concepts are always bad, it's just how they are pushed way too often, and not in a good way to deploy them because it's not a good security practice to have them on the firewall.
how many NGFW products are on the market that do not come bundled with UTM?
-
@Donahue said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@dave247 said in Why I See UTMs As Generally Bad in the Current Market:
If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?
NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.
I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.
ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.
Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.
The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.
(╯°□°)╯︵ ┻━┻
Same as we've always been saying. Firewall is not the place for the "UTM pieces". They are better elsewhere, when needed.
It's that they are rarely needed, but sometimes.
When they are needed, in the firewall isn't the best place for them.It's not that the concepts are always bad, it's just how they are pushed way too often, and not in a good way to deploy them because it's not a good security practice to have them on the firewall.
how many NGFW products are on the market that do not come bundled with UTM?
Pretty much all of them. UTM is nearly always an "add on" cost on top of the NGFW. But some are NGFW only, like Ubiquiti.
-
The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?
-
@Donahue said in Why I See UTMs As Generally Bad in the Current Market:
The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?
ERL does nearly half of what you need...
https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593
ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.
-
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@Donahue said in Why I See UTMs As Generally Bad in the Current Market:
The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?
ERL does nearly half of what you need...
https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593
ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.
Your link is what convinced me not to use the ER pro. the Pro's will only do <500 mbps at full capacity, its in the link you posted.
-
@Donahue said in Why I See UTMs As Generally Bad in the Current Market:
@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:
@Donahue said in Why I See UTMs As Generally Bad in the Current Market:
The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?
ERL does nearly half of what you need...
https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593
ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.
Your link is what convinced me not to use the ER pro. the Pro's will only do <500 mbps at full capacity, its in the link you posted.
Where in it?
Oh, I see. he mentions ER Pro in another post, then posts them without stating what they are in a thread on ERLs. VERY confusing.