SonicWall support services set to expire... should I move to Ubiquiti Routers?

Dashrender

We've all talked about the Ubiquiti firewalls - are they still a good go to device?

I've had the webfiltering feature in the SonicWall for the past 3 years, I'm sure it's saved my users at least a few times from becoming infected (in the last 3 years we've had about 4 infections, before that we probably had 4 a year).

Thoughts?

scottalanmiller

Ubiquiti is very good, but does not do web filtering. If you need that I would either get it externally to your firewall (this is what a web proxy is for) or move to something like Sophos.

JaredBusch

Web filtering via a web proxy is really dead anyway. The world is moving to SSL and you cannot get in that anyway without setting up a more intrusive man in the middle style proxy on your network.

I would love to recommend DNS based filtering, but the only quality service I am aware of it Umbrella by OpenDNS. Unfortunately it is very expensive.

scottalanmiller

I think outside of the enterprise, web filtering is mostly going away. And even there it is becoming minimized. It is becoming more and more expensive while doing less and less.

JaredBusch

@scottalanmiller said:

I think outside of the enterprise, web filtering is mostly going away. And even there it is becoming minimized. It is becoming more and more expensive while doing less and less.

Actually, while it should be, I always get asked about it when talking to clients.

coliver

Is there any value in web filtering? Or is that using technology to solve an HR problem?

JaredBusch

@coliver said:

Is there any value in web filtering? Or is that using technology to solve an HR problem?

The productivity part aside, yes it is using technology to solve a managerial issue.

But there is nothing wrong with that. That is the POINT of technology used properly. The problem is the cost versus the benefit now is really falling away.

scottalanmiller

@coliver said:

Is there any value in web filtering? Or is that using technology to solve an HR problem?

As long as HR is directly it and it is not an IT initiative on there own, I see nothing wrong there. Now why HR feels that web filtering is effective and worth spending money on is the question. Web filtering, even at the biggest enterprises, never blocked me from doing things. It just made me less productive.

A Former User

@scottalanmiller said:

Ubiquiti is very good, but does not do web filtering. If you need that I would either get it externally to your firewall (this is what a web proxy is for) or move to something like Sophos.

DNS is better than a proxy these days. Proxies break to many things. Use http://www.nxfilter.org/p2/ for DNS filtering. It's free. Run it on a linux VM and you can even do Zone Transfers from your AD DNS so AD will still work fine with clients pulling off of it.

A Former User

@scottalanmiller said:

@coliver said:

Is there any value in web filtering? Or is that using technology to solve an HR problem?

As long as HR is directly it and it is not an IT initiative on there own

Even with just IT if it's used to block spyware, malware etc its still good.

Dashrender

@scottalanmiller said:

I think outside of the enterprise, web filtering is mostly going away. And even there it is becoming minimized. It is becoming more and more expensive while doing less and less.

yeah I was wondering if this was the case.

Dashrender

@JaredBusch said:

Web filtering via a web proxy is really dead anyway. The world is moving to SSL and you cannot get in that anyway without setting up a more intrusive man in the middle style proxy on your network.

I would love to recommend DNS based filtering, but the only quality service I am aware of it Umbrella by OpenDNS. Unfortunately it is very expensive.

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

scottalanmiller

@Dashrender said:

@JaredBusch said:

Web filtering via a web proxy is really dead anyway. The world is moving to SSL and you cannot get in that anyway without setting up a more intrusive man in the middle style proxy on your network.

I would love to recommend DNS based filtering, but the only quality service I am aware of it Umbrella by OpenDNS. Unfortunately it is very expensive.

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Yes, but that is so easy to work around. I wonder how many people are actually blocked compared to how many appear to be blocked?

Dashrender

Considering over 50% of my employees can't find google if it's not their homepage, it's a pretty good block. Those that can find google without either it being the homepage, or having a shortcut - I'm not worried about those people because they typically aren't the ones finding themselves infected with crap.

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

A Former User

@Dashrender said:

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

You can stll get spyware, malware and viruses in limited accounts. heck cryptolocker and crypto wall both are designed to run with admin permissions.

JaredBusch

@Dashrender said:

Considering over 50% of my employees can't find google if it's not their homepage, it's a pretty good block. Those that can find google without either it being the homepage, or having a shortcut - I'm not worried about those people because they typically aren't the ones finding themselves infected with crap.

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

The malware can be hosted on an SSL site just as easily as anything else. This defeats the web proxy right there.

Google returns SSL search results for most things if it is available also.

JaredBusch

@Dashrender said:

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Knowing the name/ip would be DNS filtering not web proxy filtering.

Dashrender

@thecreativeone91 said:

@Dashrender said:

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

You can stll get spyware, malware and viruses in limited accounts. heck cryptolocker and crypto wall both are designed to run with admin permissions.

lol, yeah I know, but at the same time, a web filter probably isn't going to save me from those either as they morph and shift so frequently the filters can't keep up.

Dashrender

@JaredBusch said:

@Dashrender said:

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Knowing the name/ip would be DNS filtering not web proxy filtering.

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounding like i should just forget about any protections at that level and Ubiquiti routers should be fine for me.

A Former User

@Dashrender said:

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounds like a transparent proxy most likely. You can do SSL filtering with proxies by decrypting it and using an SSL cert on your proxy but it is not recommended in most cases, you'll be decrypting bank information and everything else on your proxy like that.