SMB firewall options

bbigford

There is a metric ton of vendors out there. Some use on-premesis, some point at a cloud firewall service, and there are tons of vendors in between.

For businesses under ~20 users, what do you use for a firewall, content filtering (basic stuff like porn & gambling), VPN site-to-site?

I've used:

SonicWall
pfSense (mixed with Securly for filtering)
Sophos
Cisco (though that was getting out of the price range)
Fortinet (800C down through the small units)
WatchGuard (larger X series down through their Firebox models)

Anyone using anything cloud based? Haven't really looked into it.

coliver

So... are you looking for a firewall or a UTM? If you're looking for a firewall take a look at the ER-Pro line from Ubiquiti. There are a lot of people that use them around here that love them.

brianlittlejohn

I like to filter by DNS. I use DYN's internet guide.

brianlittlejohn

Then have the firewall only allow outgoing DNS queries from my DNS servers.

thwr

Used pfSense. A bit over a decade. Never failed, expect for some broken flash drive once.

Snort is available for pfSense.

bbigford

@coliver said in SMB firewall options:

So... are you looking for a firewall or a UTM? If you're looking for a firewall take a look at the ER-Pro line from Ubiquiti. There are a lot of people that use them around here that love them.

I've only ever used their WAPs and routers. I'll have to check that out.

coliver

@brianlittlejohn said in SMB firewall options:

I like to filter by DNS. I use DYN's internet guide.

Filtering by DNS is good too. You could setup an internal proxy with something like Squid or Snort to block specific things.

zuphzuph

Untangle.

scottalanmiller

Only things I use anymore...

• Ubiquit for nearly everything.
• Sophos if they demand UTM but don't have the resources for the good stuff.
• Palo Alto if they really need edge security.

bbigford

@zuphzuph said in SMB firewall options:

Untangle.

You've gotten to mess with that more than I have. Have you checked out the content filtering and such? Does it have a VPN client? I couldn't remember if OpenVPN is available on that or if I'm thinking of pfSense...

thwr

@coliver said in SMB firewall options:

@brianlittlejohn said in SMB firewall options:

I like to filter by DNS. I use DYN's internet guide.

Filtering by DNS is good too. You could setup an internal proxy with something like Squid or Snort to block specific things.

For inbound filtering by country: https://doc.pfsense.org/index.php/Pfblocker

Reduces port scanning and such by a huge amount

scottalanmiller

When building our own, for the lab, we use VyOS on enterprise server hardware. Basically a massive EdgeRouter.

thwr

@BBigford said in SMB firewall options:

@zuphzuph said in SMB firewall options:

Untangle.

You've gotten to mess with that more than I have. Have you checked out the content filtering and such? Does it have a VPN client? I couldn't remember if OpenVPN is available on that or if I'm thinking of pfSense...

pfSense got both, client and server.

scottalanmiller

@BBigford said in SMB firewall options:

@zuphzuph said in SMB firewall options:

Untangle.

You've gotten to mess with that more than I have. Have you checked out the content filtering and such? Does it have a VPN client? I couldn't remember if OpenVPN is available on that or if I'm thinking of pfSense...

OpenVPN is on nearly everything.

bbigford

@scottalanmiller said in SMB firewall options:

@BBigford said in SMB firewall options:

@zuphzuph said in SMB firewall options:

Untangle.

You've gotten to mess with that more than I have. Have you checked out the content filtering and such? Does it have a VPN client? I couldn't remember if OpenVPN is available on that or if I'm thinking of pfSense...

OpenVPN is on nearly everything.

Then maybe I'm thinking of both.

scottalanmiller

@BBigford said in SMB firewall options:

@scottalanmiller said in SMB firewall options:

@BBigford said in SMB firewall options:

@zuphzuph said in SMB firewall options:

Untangle.

You've gotten to mess with that more than I have. Have you checked out the content filtering and such? Does it have a VPN client? I couldn't remember if OpenVPN is available on that or if I'm thinking of pfSense...

OpenVPN is on nearly everything.

Then maybe I'm thinking of both.

EdgeOS and VyOS have it too.

JaredBusch

@BBigford and FFS you still have not answer this quesiton.

@coliver said in SMB firewall options:

So... are you looking for a firewall or a UTM?

JaredBusch

Because your title only says firewall. but you are talking about UTM stuff in your post.

bbigford

@JaredBusch said in SMB firewall options:

Because your title only says firewall. but you are talking about UTM stuff in your post.

Fixed. I know it's kind of apples to oranges since one includes the other and drives up the price substantially.

scottalanmiller

@BBigford said in SMB firewall/UTM options:

@JaredBusch said in SMB firewall options:

Because your title only says firewall. but you are talking about UTM stuff in your post.

Fixed. I know it's kind of apples to oranges since one includes the other and drives up the price substantially.

And generally we don't recommend UTMs. High cost, low results.