Firewalls, the good, the bad, and the ugly.



  • We're looking at replacing firewalls at our office, both for production and office. We don't have a ton of traffic (less than 100mbps). Both security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?

    @scottalanmiller I saw on a different thread you advocating for pfSense. Do you feel like pfSense has any downsides? What about other more name brand solutions? I've personally used ASA's, SonicWalls, and PaloAlto's. I loved the PA's but they came at a hefty price. Layer 7 inspection seems to be the way the security industry is pushing, and would love to see that in open source products, but I don't yet see that anywhere.

    Thanks in advance.

    Edited: Tags added.



  • The SonicWALL 4600s have some good capabilities. Not sure what your budget is, but they work well.

    One example, is they don't even let the wcry crap through. Even https inspection.

    Edit: I got this in an email from SonicWALL a while ago:

    Note: SonicWall firewall customers with active and properly installed Gateway Anti-virus security subscriptions are safe and have been protected against the WannaCry outbreak.


  • Service Provider

    @bj said in Firewalls, the good, the bad, and the ugly.:

    @scottalanmiller I saw on a different thread you advocating for pfSense. Do you feel like pfSense has any downsides?

    It's a "build it yourself" platform. It's good for that, but I wouldn't use that in business. Building your own networking gear is great for hobbyists looking to learn but really doesn't have a good place in a business environment. not even at home, unless building your own is the actual goal.


  • Service Provider

    @bj said in Firewalls, the good, the bad, and the ugly.:

    We're looking at replacing firewalls at our office, both for production and office. We don't have a ton of traffic (less than 100mbps). Both security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?

    With rare exception, the only firewall I recommend is Ubiquiti. If you need more than they offer, you should be in the $10K range for routers and looking at Sophos or are more likely Palo Alto for UTM.


  • Service Provider

    @bj said in Firewalls, the good, the bad, and the ugly.:

    I've personally used ASA's, SonicWalls, and PaloAlto's. I loved the PA's but they came at a hefty price. Layer 7 inspection seems to be the way the security industry is pushing, and would love to see that in open source products, but I don't yet see that anywhere.

    ASA and SW I won't touch. PA is great, but only for special cases. PA is the only UTM I really recommend. But I rarely recommend UTM. It's mostly a sales gimmick (until you get to the PA range.)



  • @scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

    With rare exception, the only firewall I recommend is Ubiquiti.

    I haven't used Ubiquiti for firewalls before. Why such a high recommendation over the competition? What do you like about them?


  • Service Provider

    @bj said in Firewalls, the good, the bad, and the ugly.:

    @scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

    With rare exception, the only firewall I recommend is Ubiquiti.

    I haven't used Ubiquiti for firewalls before. Why such a high recommendation over the competition? What do you like about them?

    Higher quality, far better performance, tiny fraction of the price, more trustworthy vendor, open source... what's not to like? $100 for a unit that beats the pants off of a $3,000 ASA?


  • Service Provider

    There are a number of issues. One is that low end "firewall" vendors are normally garbage. SonicWall, Fortinet, Cisco... they aren't just mediocre, they are actively bad. None of those would I do business with, literally, they aren't vendors I would work with. And their gear has all been problematic and their cost is outrageous.

    There are okay vendors in this space, but that's as good as they get. Ubiquiti and Palo Alto are really the only two stand out vendors, Ubiquiti in the firewall space and PA in the UTM space.



  • ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?


  • Service Provider

    @bj said in Firewalls, the good, the bad, and the ugly.:

    ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?

    What's a "good" experience? We've found them to be buggy and temperamental and not cost effective. In IT, anything that isn't cost effective is a failure. Like an investment that loses money.


  • Service Provider

    In the VoIP space, it's not uncommon to tell customers that it is cheaper to replace a SonicWall with a Ubiquiti to improve your network and fix issues than it is just to tweak the SW that is already there to get it to work. You can replace a SW for less than you can manage one.



  • Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.



  • I used to use Watchguard and was happy with the results, but somewhat pricey.


  • Service Provider

    @bj said in Firewalls, the good, the bad, and the ugly.:

    Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.

    It's important to note that the run ins are mostly because their defaults are broken for the VoIP space (they actually put in options that outright break VoIP traffic and turn them on by default!!) and I work in that space often, and the other major issues are in poor documentation and hidden featuers. SW isn't "bad", but since it costs more than Ubiquiti and doesn't work "as well", in business terms that's a failure.

    That would be like if your Ford cost more than your Ferrari. It doesn't mean the Ford becomes worse, but at that price, it's insane to ever buy it and choosing it wouldn't be a good business option. It makes sense because it's cost effective.


  • Service Provider

    SW are problems often enough, though, that when talking to people with VoIP audio issues, the first question we always ask is "you have a SonicWall, don't you" and something like 90% of the time, VoIP networking issues have been because they used a SonicWall. And it's always fixable, but I don't trust their engineers as they're clearly not capable of handling the basics.



  • So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
    https://en.wikipedia.org/wiki/Ubiquiti_Networks
    "In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

    While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

    Did you run into this? Was it as bad as it sounds?


  • Service Provider

    I hate having a UTM on my firewall.

    If you want a UTM, then setup something inside your network and properly setup your workstations to proxy through it.

    I also generally dislike UTM in the first place, but some people just have to have it.

    My number one router recommendation for any SMB is the Ubiquiti EdgeMax Router LITE (ERL).

    For people that absolutely require paying stupid money for UTM-esque features, I will tell them to go with WatchGuard, but I can also tell you I have zero clients that went that route.


  • Service Provider

    @Mods please add tags.



  • @JaredBusch With a recommendation like that, I can't believe none of them chose UTM! :-P



  • @JaredBusch, but I hear you. UTM definitely adds complications to the network, and with complication comes potential for problems.


  • Service Provider

    @bj said in Firewalls, the good, the bad, and the ugly.:

    @JaredBusch With a recommendation like that, I can't believe none of them chose UTM! :-P

    Clients get a client version of "that is a fucking stupid idea"

    But you are posting here, so I assume that you are in IT and sugar coating shit among peers is one of the last things I do.



  • @JaredBusch, I appreciate that. I just thought it was funny.



  • @bj said in Firewalls, the good, the bad, and the ugly.:

    So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
    https://en.wikipedia.org/wiki/Ubiquiti_Networks
    "In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

    While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

    Did you run into this? Was it as bad as it sounds?

    Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.


  • Service Provider

    @travisdh1 said in Firewalls, the good, the bad, and the ugly.:

    @bj said in Firewalls, the good, the bad, and the ugly.:

    So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
    https://en.wikipedia.org/wiki/Ubiquiti_Networks
    "In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

    While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

    Did you run into this? Was it as bad as it sounds?

    Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.

    Not exactly correct.

    Ubiquiti's issues revolved around their AirOS line of equipment. The EdgeMax line has never had any type of issue like that.

    I believe that AirOS was update to a new version and all the problems relate to an older version for discontinued hardware that Ubiquiti refused to backport and continue to support.



  • I agree the Ubiquity stuff is great for a basic firewall:

    https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf

    But if you want some of the advanced capabilities like gateway antivirus and such, SonicWALL has always been excellent in my own experience:

    https://www.sonicwall.com/products/nsa-4600/



  • @bj said in Firewalls, the good, the bad, and the ugly.:

    h security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?

    What are your security requirements? I have been a big proponent of Sonicwalls as I use them a lot and have been great for me. I do have to agree in terms of the VOIP where the "Enable Consistent NAT" is not checked on the Sonicwall and UDP timeout to 30 seconds by default causes problems with calls.

    I use the Security Gateway Service subscription for GAV, Content Filtering and App Control. You can do DPI-SSL and so forth but again that all depends on the security requirements.



  • I haven't spoken with management about the layer 7 security features that can be had on firewalls yet. The device we are moving away from (pfSense) is essentially a layer 4 device. So far the requirements we have talked about have been around reliability and HA. Though, I know that security is important to them, I wasn't planning on getting into the details about the security features of layer 7 firewalls until I had proposals to put in front of them (though I have mentioned one cool feature the PAs have). Right now, I'm trying to decide which firewalls to include in that round-up. At the moment, from what I've heard here, we'll probably be talking about SW, Ubiquity, and PA. My experience with SW has been like yours. Yes, you do have to change some settings to configure them right, but once in place, they've been fairly stable for me. On the other hand, if Ubiquity has a good firewall, I'm open to that possibility as well. And if we can spend the money for it, the PAs definitely get my vote.



  • @Tim_G, @scottalanmiller, looking at their website, it looks like Ubiquity doesn't offer any NGFW features like DPI or filtering. Is that correct? Or am I missing something? (Not that that would rule them out, just making sure I know what they are.)



  • I gotta ask.... Has anyone ever even heard about a major virus that spread through the internet, attacking and penetrating your everyday routers and basic firewalls? And DPI/SPI is not worth much if you aren't configuring your router to do anything with that info.

    Let your firewall/router do its job and if you need more features it falls to a proxy server or outside service like webroot.

    I much preferred M0n0wall to PFSENSE, but since Manuel is busy doing other things everyone had to move to PFSENSE. I disagreed that the project had run its course.

    A Palo Alto device is not for you if you are posting these kinds of questions. And that's not a slight to you. PA customers have specific issues (like being targeted for attack) that brought them to pay that sticker price.

    Sonicwall MAYBE was a good option 10 years ago. 99% of your SonicWALL guys use it because they have been using it for 10+ years and you cant really argue with them about it. Its familiar but it offers zero real benefits over a Ubiquiti Edgemax.

    Your Ubiquitui USG can tie into a Unifi controller you could host on Vultr. So you get a self hosted Meraki experience. Last I evaluated USG had some bugs vs Edgemax so I can only speak to the latter. I would assume those issues are resolved by now. @scottalanmiller or @JaredBusch would know.


  • Service Provider

    @bigbear I only have a single USG in the wild. It is not a device I would actually deploy to most places.

    The one I have out there is in a very small stand alone business. The USG runs EdgeOS under the hood, but you have no direct access to it. It onyl works through the Controller. Specific customization can only be done by creating a special text file and putting it in a specific location.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.