Ad blocking/web filtering - UTM
-
Exactly - Sure EdgeRouter devices are great at the functions they have done so far, but the moment we start putting more features, it's only a matter of time before the CPU will be bogged down.
I believe this is what is wrong with the SonicWalls I currently have. Running all that UTM stuff is more than the processor can handle and bogs down the system. Sure, I could buy the next up level device for 2x the cost for what to them is a $10 upgrade (probably less) but this seems ridiculous.
Clearly in the SonicWall situation I'm better off slicing off a piece of my VM infrastructure and setting up a proxy to do filtering, even if I have to pay for the features (and hopefully I'll save some money at the same time).
-
@JaredBusch said:
The CPU is their issue. Always has been. If a function is is not able to be offloaded, their throughput tanks dramatically.
Isn't it a lot more CPU than even pretty beefy Cisco devices? Their CPU is small, but I thought they had a lot more CPU than most devices in the category.
The $95 entry point UBNT device is definitely small. But when comparing to any UTM you can move up to the faster rack mount device and get a lot more horsepower while maintaining the UBNT software and cost benefits.
-
@Dashrender said:
Exactly - Sure EdgeRouter devices are great at the functions they have done so far, but the moment we start putting more features, it's only a matter of time before the CPU will be bogged down.
I agree, but that happens to all UTMs. Comparing routing to routing only, the UBNT devices are normally some of the fastest around (their claim to fame is at $300 beating Cisco at $3,000 in performance.)
-
@scottalanmiller said:
Isn't it a lot more CPU than even pretty beefy Cisco devices? Their CPU is small, but I thought they had a lot more CPU than most devices in the category.
Never compared the two, so I do not know. I was not comparing UBNT to anything. Just noting the known CPU issues with their platform. I realize all systems with UTM functionality will have some type of issue like this.
The $95 entry point UBNT device is definitely small. But when comparing to any UTM you can move up to the faster rack mount device and get a lot more horsepower while maintaining the UBNT software and cost benefits.
This is very true.
-
What about running a UTM in a VM? At least you can vertically scale if needed.
-
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
-
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Why would dom0 be public facing?
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Why would dom0 be public facing?
I was guessing. The nic drivers are loaded in dom0 so does that give it an attack point even though the VM is the only one really using the interface?
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Could be, but shouldn't be. But the physical access still exists no matter what you expose to it.