Pfsense instead SonicWall ?
-
@coliver said:
@wirestyle22 said:
@scottalanmiller said:
@gjacobse said:
@dafyre said:
@scottalanmiller said:
@iroal said:
Company, at end, let me buy the Pfsense.
I'm thinking in this model.
https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx
Any other best option ?
Answer is going to keep being the same, Ubiquiti is better than pfSense.
Can the Ubiquiti handle failover from one to another?
@iroal If the Ubiquiti has all the features you need, then the price will be significantly cheaper than the pfSense setup.
Yes - Even the ERL I have with 3 ports can. you can set two ISP and one LAN, One ISP, LAN and WiFi or one ISP and two LAN..
We actually have a client with two ISP and one LAN configured currently.
That aspect is for WAN failover. He's looking for router failover - where you have two routers instead of just one. It does that too but I don't believe we have any clients doing it. It is a more complicated setup and carries complications from the fact that you can't have the ISP link going to both routers at once by default.
Can't you do 4 routers, two for each ISP?
Look at VRRP. It is a protocol that allows for hardware failure. You would just need two routers not four.
Yeah I was thinking simplistically. My bad
-
Let's say you set up an EdgeRouter, what would you guys recommend for the additional services that a UTM platform would normally provide?
-
@wrx7m said:
Let's say you set up an EdgeRouter, what would you guys recommend for the additional services that a UTM platform would normally provide?
Like what?
Proxy/web filtering could easily be done via Squid.
-
The ER series has a client VPN built in. I think it will do OpenVPN as well.
-
Gateway AV, DPI, IDS, IPS
-
@wrx7m said:
Let's say you set up an EdgeRouter, what would you guys recommend for the additional services that a UTM platform would normally provide?
Standard recommendation is that those things don't belong on a firewall and should be either handled by another device or should not exist at all (much of the time they are negatives and sold via hype... most have their place but are not very commonly recommended.)
-
@wrx7m said:
Gateway AV, DPI, IDS, IPS
I've never seen Gateway AV work... but I Squid can also do this with some addons.
-
@scottalanmiller Interesting. So you would just go with endpoint protection after the router/firewall?
-
@wrx7m said:
@scottalanmiller Interesting. So you would just go with endpoint protection after the router/firewall?
Yes, in nearly all cases. AV on the firewall means huge network delays or tons of processing power needed at the end and it is rarely effective. If you are investing tens of thousands in Palo Alto gear, that's different. But other than that, I wouldn't even consider it.
-
I'm a big believer that the UTM concept is hype. I want my router to be a router, not be an all in one device like I'm a home user. All functionality should be broken out and should be determined discretely if needed. UTMs are sold almost exclusively based on marketing, not a need driving a search for a solution.
-
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
-
@coliver said:
@wrx7m said:
Gateway AV, DPI, IDS, IPS
I've never seen Gateway AV work... but I Squid can also do this with some addons.
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives. I definitely like the thought behind it.. not sold one way or the other in practice though.
-
Plus Scott is a big believer in the LANless approach. Don't trust the network you're own.. create your own security through other means, like endpoint to server SSL, etc.
-
@wrx7m said:
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.
-
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
-
@scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.
-
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
-
@scottalanmiller said:
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
False positives happen even on end points - so....
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
I agree!
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
Oh.. and my false positives was once during my 3 year contract...
