ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Pfsense instead SonicWall ?

    Scheduled Pinned Locked Moved IT Discussion
    sonicwallpfsensefirewall
    133 Posts 13 Posters 52.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wrx7mW
      wrx7m @scottalanmiller
      last edited by

      @scottalanmiller Thanks for the info. What about use of a proxy/application control?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @coliver
        last edited by

        @coliver said:

        @wrx7m said:

        Gateway AV, DPI, IDS, IPS

        I've never seen Gateway AV work... but I Squid can also do this with some addons.

        You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives. I definitely like the thought behind it.. not sold one way or the other in practice though.

        scottalanmillerS 2 Replies Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          Plus Scott is a big believer in the LANless approach. Don't trust the network you're own.. create your own security through other means, like endpoint to server SSL, etc.

          1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @wrx7m
            last edited by

            @wrx7m said:

            @scottalanmiller Thanks for the info. What about use of a proxy/application control?

            Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.

            wrx7mW 2 Replies Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.

              That description is what we would call not working.

              DashrenderD 1 Reply Last reply Reply Quote 1
              • wrx7mW
                wrx7m @scottalanmiller
                last edited by

                @scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  I definitely like the thought behind it.. not sold one way or the other in practice though.

                  If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.

                  DashrenderD 2 Replies Last reply Reply Quote 1
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    @Dashrender said:

                    You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.

                    That description is what we would call not working.

                    False positives happen even on end points - so....

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      @Dashrender said:

                      I definitely like the thought behind it.. not sold one way or the other in practice though.

                      If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.

                      I agree!

                      1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        @Dashrender said:

                        I definitely like the thought behind it.. not sold one way or the other in practice though.

                        If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.

                        Oh.. and my false positives was once during my 3 year contract...

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @wrx7m
                          last edited by

                          @wrx7m said:

                          @scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.

                          One of the reasons there for proxy/cache specifically is that you need it to be insanely fast and cache a ton of stuff - so you likely want a massive RAID 0 array with SSD cacheing in front of it with loads of memory and a decent CPU (quad core Xeon for example) to handle it. You can't get 1% of that from any firewall hardware.

                          And you don't want the proxy getting in the way of non-proxy traffic. Your VoIP, for example, needs to go straight through the firewall not get processed or blocked by the proxy. If the proxy is inside the firewall device, the CPU will be tied up doing that instead of passing RTP packets.

                          1 Reply Last reply Reply Quote 1
                          • wrx7mW
                            wrx7m @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            @wrx7m said:

                            @scottalanmiller Thanks for the info. What about use of a proxy/application control?

                            Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.

                            I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively? Sure there is management but short of standing over everyone's shoulder, I don't see a better way to be able to produce the stats.

                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              @scottalanmiller said:

                              @Dashrender said:

                              You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.

                              That description is what we would call not working.

                              False positives happen even on end points - so....

                              But not so often that I've seen one in a decade. Definitely happen, but are super rare. And much easier to identify because it is localised to where it happens. Not somewhere distant.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @wrx7m
                                last edited by

                                @wrx7m said:

                                I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?

                                I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.

                                I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.

                                wrx7mW M 2 Replies Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @wrx7m
                                  last edited by

                                  @wrx7m said:

                                  Sure there is management but short of standing over everyone's shoulder, I don't see a better way to be able to produce the stats.

                                  Good, make it hard to collect pointless metrics.

                                  1 Reply Last reply Reply Quote 0
                                  • wrx7mW
                                    wrx7m @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    @wrx7m said:

                                    I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?

                                    I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.

                                    I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.

                                    IT services don't exist in a vacuum and most management would disagree. Management wants info like this occasionally. Sometimes they want even more, which requires specialized software installed on the local system. I really hate doing that.

                                    scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @wrx7m
                                      last edited by

                                      @wrx7m said:

                                      IT services don't exist in a vacuum and most management would disagree.

                                      Not good, healthy management. I normally see this stuff being pushed from IT in opposition to management as IT people have a tendency to want to "control" things, it's part of the culture. Good management would know instantly that this is horrible info and goes against even the most entry level management training. This calls only into the "really clueless untrained or megalomaniac" management category outside of specific issues (some places have to for regulations.)

                                      If management wants this info, IT should be training them as to how useless this data is and how there is no possible useful outcome to collecting it.

                                      wrx7mW 1 Reply Last reply Reply Quote 0
                                      • M
                                        marcinozga @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        @wrx7m said:

                                        I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?

                                        I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.

                                        I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.

                                        We've had on average one person a year fired because of their browsing habits. One person was even watching Netflix 8 hours a day, surprisingly that person still works here.

                                        Employees are paid to do their jobs, not to browse the web. If the management has a need to have that info, then we should provide it.

                                        scottalanmillerS 3 Replies Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @wrx7m
                                          last edited by

                                          @wrx7m said:

                                          Management wants info like this occasionally.

                                          Maybe, but it should NEVER be an assumption. If management demands this AND won't accept training or standard advice or just math... then yes, IT should do what it is asked to do. But we should never drive this as it is bad for every aspect of the business when not required.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @marcinozga
                                            last edited by

                                            @marcinozga said:

                                            We've had on average one person a year fired because of their browsing habits. One person was even watching Netflix 8 hours a day, surprisingly that person still works here.

                                            That's horrible, why would you fire perfectly good employees that are being productive because of perceived browsing habits? Those managers should be fired, that's as clueless as you can get. If those people are doing a good job and earning their keep, firing them because of a metric that has nothing to do with their ability to do their job or their productivity would be tantamount to intentional sabotage - and should trigger an investigation over discrimination.

                                            DashrenderD M 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 5 / 7
                                            • First post
                                              Last post