Firewalls, the good, the bad, and the ugly.

travisdh1

@bj said in Firewalls, the good, the bad, and the ugly.:

So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
https://en.wikipedia.org/wiki/Ubiquiti_Networks
"In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

Did you run into this? Was it as bad as it sounds?

Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.

JaredBusch

@travisdh1 said in Firewalls, the good, the bad, and the ugly.:

@bj said in Firewalls, the good, the bad, and the ugly.:

So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
https://en.wikipedia.org/wiki/Ubiquiti_Networks
"In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

Did you run into this? Was it as bad as it sounds?

Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.

Not exactly correct.

Ubiquiti's issues revolved around their AirOS line of equipment. The EdgeMax line has never had any type of issue like that.

I believe that AirOS was update to a new version and all the problems relate to an older version for discontinued hardware that Ubiquiti refused to backport and continue to support.

Obsolesce

I agree the Ubiquity stuff is great for a basic firewall:

https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf

But if you want some of the advanced capabilities like gateway antivirus and such, SonicWALL has always been excellent in my own experience:

https://www.sonicwall.com/products/nsa-4600/

dbeato

@bj said in Firewalls, the good, the bad, and the ugly.:

h security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?

What are your security requirements? I have been a big proponent of Sonicwalls as I use them a lot and have been great for me. I do have to agree in terms of the VOIP where the "Enable Consistent NAT" is not checked on the Sonicwall and UDP timeout to 30 seconds by default causes problems with calls.

I use the Security Gateway Service subscription for GAV, Content Filtering and App Control. You can do DPI-SSL and so forth but again that all depends on the security requirements.

bj

I haven't spoken with management about the layer 7 security features that can be had on firewalls yet. The device we are moving away from (pfSense) is essentially a layer 4 device. So far the requirements we have talked about have been around reliability and HA. Though, I know that security is important to them, I wasn't planning on getting into the details about the security features of layer 7 firewalls until I had proposals to put in front of them (though I have mentioned one cool feature the PAs have). Right now, I'm trying to decide which firewalls to include in that round-up. At the moment, from what I've heard here, we'll probably be talking about SW, Ubiquity, and PA. My experience with SW has been like yours. Yes, you do have to change some settings to configure them right, but once in place, they've been fairly stable for me. On the other hand, if Ubiquity has a good firewall, I'm open to that possibility as well. And if we can spend the money for it, the PAs definitely get my vote.

bj

@Tim_G, @scottalanmiller, looking at their website, it looks like Ubiquity doesn't offer any NGFW features like DPI or filtering. Is that correct? Or am I missing something? (Not that that would rule them out, just making sure I know what they are.)

bigbear

I gotta ask.... Has anyone ever even heard about a major virus that spread through the internet, attacking and penetrating your everyday routers and basic firewalls? And DPI/SPI is not worth much if you aren't configuring your router to do anything with that info.

Let your firewall/router do its job and if you need more features it falls to a proxy server or outside service like webroot.

I much preferred M0n0wall to PFSENSE, but since Manuel is busy doing other things everyone had to move to PFSENSE. I disagreed that the project had run its course.

A Palo Alto device is not for you if you are posting these kinds of questions. And that's not a slight to you. PA customers have specific issues (like being targeted for attack) that brought them to pay that sticker price.

Sonicwall MAYBE was a good option 10 years ago. 99% of your SonicWALL guys use it because they have been using it for 10+ years and you cant really argue with them about it. Its familiar but it offers zero real benefits over a Ubiquiti Edgemax.

Your Ubiquitui USG can tie into a Unifi controller you could host on Vultr. So you get a self hosted Meraki experience. Last I evaluated USG had some bugs vs Edgemax so I can only speak to the latter. I would assume those issues are resolved by now. @scottalanmiller or @JaredBusch would know.

JaredBusch

@bigbear I only have a single USG in the wild. It is not a device I would actually deploy to most places.

The one I have out there is in a very small stand alone business. The USG runs EdgeOS under the hood, but you have no direct access to it. It onyl works through the Controller. Specific customization can only be done by creating a special text file and putting it in a specific location.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

I haven't spoken with management about the layer 7 security features that can be had on firewalls yet. The device we are moving away from (pfSense) is essentially a layer 4 device. So far the requirements we have talked about have been around reliability and HA. Though, I know that security is important to them, I wasn't planning on getting into the details about the security features of layer 7 firewalls until I had proposals to put in front of them (though I have mentioned one cool feature the PAs have). Right now, I'm trying to decide which firewalls to include in that round-up. At the moment, from what I've heard here, we'll probably be talking about SW, Ubiquity, and PA. My experience with SW has been like yours. Yes, you do have to change some settings to configure them right, but once in place, they've been fairly stable for me. On the other hand, if Ubiquity has a good firewall, I'm open to that possibility as well. And if we can spend the money for it, the PAs definitely get my vote.

That's kind of how I work. If I need a UTM, get PA. If you don't need a UTM, get Ubiquiti.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

@Tim_G, @scottalanmiller, looking at their website, it looks like Ubiquity doesn't offer any NGFW features like DPI or filtering. Is that correct? Or am I missing something? (Not that that would rule them out, just making sure I know what they are.)

No, it is just a firewall, not a UTM.

bj

Cool. We'll definitely consider them. I appreciate your recommendations.

And @bigbear, thanks for that... um... "not slight". I'm not going into this blind. I've used PA, ASA, and SW before (but not all very recently). I recognize that asking questions like this can make me come off as a noob, but that I am not. I do like having a forum where I can bounce ideas off others. Unlike some of you, I don't interact a ton with other IT professionals (my currently company only has one other guy), and so sometimes I feel a little siloed. As such, I came here to get some feedback on decisions I have to make that will have a lasting effect on the company I work for. Please don't assume that because I seek and value your opinions that I lack in experience. I just like to make sure I have good information before I jump all in. Thanks.

dbeato

@scottalanmiller Ubiquiti does have DPI but not DPI-SSL
https://help.ubnt.com/hc/en-us/articles/204951104-EdgeRouter-Deep-Packet-Inspection-Engine-for-EdgeRouter

JaredBusch

@dbeato said in Firewalls, the good, the bad, and the ugly.:

@scottalanmiller Ubiquiti does have DPI but not DPI-SSL
https://help.ubnt.com/hc/en-us/articles/204951104-EdgeRouter-Deep-Packet-Inspection-Engine-for-EdgeRouter

This type of DPI is for reference, this is not for UTM.
Any device that sees packets can look at it if so desired.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

Unlike some of you, I don't interact a ton with other IT professionals (my currently company only has one other guy), and so sometimes I feel a little siloed.

I'm the outlier here. Most everyone here only runs into loads of IT pros here or in similar forums. The majority here don't work with lots of others in the technical arena. So you are in good company.

bigbear

@bj yeah it's just that you didn't list anything specific that would make me think Palo Alto would bring anything to the table for you. They will still sell you."

I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence on my first post I got a little but hurt over @JaredBusch but now I prefer it

I'm at the point where I would believe more in a firewall + hosted security service like webroot. But I don't deal with anything outside of connectivity and backend network stuff on a.l daily basis.

scottalanmiller

@bigbear said in Firewalls, the good, the bad, and the ugly.:

I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence on my first post I got a little but hurt over @JaredBusch but now I prefer it

LOL, it's true though.

JaredBusch

@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

@bigbear said in Firewalls, the good, the bad, and the ugly.:

I read it and added that, maybe still didn't come off right. You're here on mango lassi so everyone expects a certain level of competence on my first post I got a little but hurt over @JaredBusch but now I prefer it

LOL, it's true though.

For the record, I went back through your profile (thank god you only have 250ish posts) and found your first post. It was not that one. I do recall the thread, but I would have to spend more time digging through your profile to find the thread in question.

bj

@bigbear, no worries, I understood what you were trying to say. I just wanted to clarify why I was asking. The only firewalls that we've spoken about here that I haven't had experience with are the ubiquities, and honestly, I hadn't even heard of them until this conversation. But that's precisely why I wanted to have this conversation. I wanted to hear what I didn't know, and I did.

In regards to PAs, there were a few features I really liked when I used them. 1) The applications. I loved how the PAs could detect if somebody was trying to pass traffic through a port that wasn't what the port was opened for. No, I personally haven't seen that stop any huge threats, but it at least closed a theoretical gap in firewall logic for me, that I may open up certain ports on the firewalls, but I have no guarantee that what I'm opening them for is what they will be used for. And 2) The stats page is really quite impressive. I love that I can see what traffic is going to china, etc. This type of information, if regularly monitored, could easily help identify traffic that is out of the norm. No, it isn't the only place you could get that type information, but we didn't have anything else set up for that, so for us it was. And 3) The config audit is very nice. I love being able to look back in the config to find who changed a certain setting and when. It's always been a pet peeve of mine when I know I didn't change something on the firewall, and I don't know who to ask about it. And sometimes, everyone denies it anyway. It's great to be able to pin down a change to a person and a time. It really makes the firewall audits required by PCI a lot easier too. If nothing has changed, you can prove it, and you don't have to look through every single setting, just in case. Or if only one setting was changed, you can see that, and then you are done. It made auditing easy.

I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features. My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit. The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features.

Ubiquities are firewalls, not UTMs, they are not supposed to have those features.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit. The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best.

Ubiquiti runs EdgeOS which was forked from Vyatta which is the Brocade code base. I've always found the Vyatta family configs (Vyatta, EdgeOS and VyOS) pretty easy to read.