SonicWall support services set to expire... should I move to Ubiquiti Routers?

Dashrender

@scottalanmiller said:

I think outside of the enterprise, web filtering is mostly going away. And even there it is becoming minimized. It is becoming more and more expensive while doing less and less.

yeah I was wondering if this was the case.

Dashrender

@JaredBusch said:

Web filtering via a web proxy is really dead anyway. The world is moving to SSL and you cannot get in that anyway without setting up a more intrusive man in the middle style proxy on your network.

I would love to recommend DNS based filtering, but the only quality service I am aware of it Umbrella by OpenDNS. Unfortunately it is very expensive.

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

scottalanmiller

@Dashrender said:

@JaredBusch said:

Web filtering via a web proxy is really dead anyway. The world is moving to SSL and you cannot get in that anyway without setting up a more intrusive man in the middle style proxy on your network.

I would love to recommend DNS based filtering, but the only quality service I am aware of it Umbrella by OpenDNS. Unfortunately it is very expensive.

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Yes, but that is so easy to work around. I wonder how many people are actually blocked compared to how many appear to be blocked?

Dashrender

Considering over 50% of my employees can't find google if it's not their homepage, it's a pretty good block. Those that can find google without either it being the homepage, or having a shortcut - I'm not worried about those people because they typically aren't the ones finding themselves infected with crap.

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

A Former User

@Dashrender said:

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

You can stll get spyware, malware and viruses in limited accounts. heck cryptolocker and crypto wall both are designed to run with admin permissions.

JaredBusch

@Dashrender said:

Considering over 50% of my employees can't find google if it's not their homepage, it's a pretty good block. Those that can find google without either it being the homepage, or having a shortcut - I'm not worried about those people because they typically aren't the ones finding themselves infected with crap.

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

The malware can be hosted on an SSL site just as easily as anything else. This defeats the web proxy right there.

Google returns SSL search results for most things if it is available also.

JaredBusch

@Dashrender said:

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Knowing the name/ip would be DNS filtering not web proxy filtering.

Dashrender

@thecreativeone91 said:

@Dashrender said:

Another thing I was able to accomplish last year - I removed local admin from 90% of my users, so perhaps the whole spyware/crap ware thing is less of concern now.

You can stll get spyware, malware and viruses in limited accounts. heck cryptolocker and crypto wall both are designed to run with admin permissions.

lol, yeah I know, but at the same time, a web filter probably isn't going to save me from those either as they morph and shift so frequently the filters can't keep up.

Dashrender

@JaredBusch said:

@Dashrender said:

Yep, I'm fully aware but general web filtering should still prevent a lot of nasty things (I would think) because you still have to know the name/IP of the host you are trying to connect to.

Knowing the name/ip would be DNS filtering not web proxy filtering.

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounding like i should just forget about any protections at that level and Ubiquiti routers should be fine for me.

A Former User

@Dashrender said:

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounds like a transparent proxy most likely. You can do SSL filtering with proxies by decrypting it and using an SSL cert on your proxy but it is not recommended in most cases, you'll be decrypting bank information and everything else on your proxy like that.

A Former User

@Dashrender said:

lol, yeah I know, but at the same time, a web filter probably isn't going to save me from those either as they morph and shift so frequently the filters can't keep up.

No one solution will prevent them. But a network level DNS filter or firewall to stop Malware, spyware etc can be an important part of the solution.

Dashrender

@thecreativeone91 said:

@Dashrender said:

I'm not the one who mentioned Proxy Filtering... I only said web filters.
That said, the Sonic Wall is my only device (other than a switch) between the users and the internet. I'm not sure if it's doing true proxying or not? I don know that non SSL traffic was being scanned for viruii, another part of the packaged purchased 3 years ago..

Sounds like a transparent proxy most likely. You can do SSL filtering with proxies by decrypting it and using an SSL cert on your proxy but it is not recommended in most cases, you'll be decrypting bank information and everything else on your proxy like that.

I'm personally not against that, this is my company network, our policy states that anything you do on it can be monitored by the company... don't read more into that than is there

Dashrender

@thecreativeone91 said:

@Dashrender said:

lol, yeah I know, but at the same time, a web filter probably isn't going to save me from those either as they morph and shift so frequently the filters can't keep up.

No one solution will prevent them. But a network level DNS filter or firewall to stop Malware, spyware etc can be an important part of the solution.

If NXfilter is priced better than that other option, OpenDNS, it might be doable. But as Scott mentioned, who's driving it, and is the cost really worth the provided value.

Currently I'm driving (that is, IT is driving it) to help keep our network safer. The price of the features with SonicWall weren't outrageous. But my current box is EOL. I can pay to keep the current thing active for a few more years, or upgrade to the current model... if I'm upgrading I might as well move to something we all agree is something better, less troublesome. And well perhaps the Gateway transparent proxying and AV scanning might not have been worth it... until we live without it for a while again I can't really say.

A Former User

@Dashrender said:

If NXfilter is priced better than that other option, OpenDNS, it might be doable. But as Scott mentioned, who's driving it, and is the cost really worth the provided value.

It's free for the non-hosted option.

scottalanmiller

I'm thinking about firing one up in a VM that I put on Pertino. Would be awesome to have a simple way to appear as being from the US rather than Spain.

Dashrender

@scottalanmiller said:

I'm thinking about firing one up in a VM that I put on Pertino. Would be awesome to have a simple way to appear as being from the US rather than Spain.

I'm sorry..one what?

scottalanmiller

NXFilter

Dashrender

@thecreativeone91 said:

@Dashrender said:

If NXfilter is priced better than that other option, OpenDNS, it might be doable. But as Scott mentioned, who's driving it, and is the cost really worth the provided value.

It's free for the non-hosted option.

I don't seem to see a cost involved for any situation on their website, did I miss it?

coliver

@Dashrender said:

@thecreativeone91 said:

@Dashrender said:

If NXfilter is priced better than that other option, OpenDNS, it might be doable. But as Scott mentioned, who's driving it, and is the cost really worth the provided value.

It's free for the non-hosted option.

I don't seem to see a cost involved for any situation on their website, did I miss it?

They have a cloud option that does cost money.

A Former User

@Dashrender said:

@thecreativeone91 said:

@Dashrender said:

If NXfilter is priced better than that other option, OpenDNS, it might be doable. But as Scott mentioned, who's driving it, and is the cost really worth the provided value.

It's free for the non-hosted option.

I don't seem to see a cost involved for any situation on their website, did I miss it?

It's not listed but he has hosted options from people using the Nx-filter cloud which does cost.

http://www.nxfilter.org/tutorial.html#cloud_what