Ad blocking/web filtering - UTM
-
@scottalanmiller said:
Seen low powered? Their throughout is one of their claims to fame. What about them is feeling anemic to you?
The CPU is their issue. Always has been. If a function is is not able to be offloaded, their throughput tanks dramatically.
How much this new DPI stuff will impact the CPU can dramatically impact the performance of any of the EdgeMax devices.
-
Exactly - Sure EdgeRouter devices are great at the functions they have done so far, but the moment we start putting more features, it's only a matter of time before the CPU will be bogged down.
I believe this is what is wrong with the SonicWalls I currently have. Running all that UTM stuff is more than the processor can handle and bogs down the system. Sure, I could buy the next up level device for 2x the cost for what to them is a $10 upgrade (probably less) but this seems ridiculous.
Clearly in the SonicWall situation I'm better off slicing off a piece of my VM infrastructure and setting up a proxy to do filtering, even if I have to pay for the features (and hopefully I'll save some money at the same time).
-
@JaredBusch said:
The CPU is their issue. Always has been. If a function is is not able to be offloaded, their throughput tanks dramatically.
Isn't it a lot more CPU than even pretty beefy Cisco devices? Their CPU is small, but I thought they had a lot more CPU than most devices in the category.
The $95 entry point UBNT device is definitely small. But when comparing to any UTM you can move up to the faster rack mount device and get a lot more horsepower while maintaining the UBNT software and cost benefits.
-
@Dashrender said:
Exactly - Sure EdgeRouter devices are great at the functions they have done so far, but the moment we start putting more features, it's only a matter of time before the CPU will be bogged down.
I agree, but that happens to all UTMs. Comparing routing to routing only, the UBNT devices are normally some of the fastest around (their claim to fame is at $300 beating Cisco at $3,000 in performance.)
-
@scottalanmiller said:
Isn't it a lot more CPU than even pretty beefy Cisco devices? Their CPU is small, but I thought they had a lot more CPU than most devices in the category.
Never compared the two, so I do not know. I was not comparing UBNT to anything. Just noting the known CPU issues with their platform. I realize all systems with UTM functionality will have some type of issue like this.
The $95 entry point UBNT device is definitely small. But when comparing to any UTM you can move up to the faster rack mount device and get a lot more horsepower while maintaining the UBNT software and cost benefits.
This is very true.
-
What about running a UTM in a VM? At least you can vertically scale if needed.
-
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
-
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Why would dom0 be public facing?
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Why would dom0 be public facing?
I was guessing. The nic drivers are loaded in dom0 so does that give it an attack point even though the VM is the only one really using the interface?
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Could be, but shouldn't be. But the physical access still exists no matter what you expose to it.