Firewalls, the good, the bad, and the ugly.

bj

We're looking at replacing firewalls at our office, both for production and office. We don't have a ton of traffic (less than 100mbps). Both security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?

@scottalanmiller I saw on a different thread you advocating for pfSense. Do you feel like pfSense has any downsides? What about other more name brand solutions? I've personally used ASA's, SonicWalls, and PaloAlto's. I loved the PA's but they came at a hefty price. Layer 7 inspection seems to be the way the security industry is pushing, and would love to see that in open source products, but I don't yet see that anywhere.

Thanks in advance.

Edited: Tags added.

Obsolesce

The SonicWALL 4600s have some good capabilities. Not sure what your budget is, but they work well.

One example, is they don't even let the wcry crap through. Even https inspection.

Edit: I got this in an email from SonicWALL a while ago:

Note: SonicWall firewall customers with active and properly installed Gateway Anti-virus security subscriptions are safe and have been protected against the WannaCry outbreak.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

@scottalanmiller I saw on a different thread you advocating for pfSense. Do you feel like pfSense has any downsides?

It's a "build it yourself" platform. It's good for that, but I wouldn't use that in business. Building your own networking gear is great for hobbyists looking to learn but really doesn't have a good place in a business environment. not even at home, unless building your own is the actual goal.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

We're looking at replacing firewalls at our office, both for production and office. We don't have a ton of traffic (less than 100mbps). Both security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?

With rare exception, the only firewall I recommend is Ubiquiti. If you need more than they offer, you should be in the $10K range for routers and looking at Sophos or are more likely Palo Alto for UTM.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

I've personally used ASA's, SonicWalls, and PaloAlto's. I loved the PA's but they came at a hefty price. Layer 7 inspection seems to be the way the security industry is pushing, and would love to see that in open source products, but I don't yet see that anywhere.

ASA and SW I won't touch. PA is great, but only for special cases. PA is the only UTM I really recommend. But I rarely recommend UTM. It's mostly a sales gimmick (until you get to the PA range.)

bj

@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

With rare exception, the only firewall I recommend is Ubiquiti.

I haven't used Ubiquiti for firewalls before. Why such a high recommendation over the competition? What do you like about them?

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:

With rare exception, the only firewall I recommend is Ubiquiti.

I haven't used Ubiquiti for firewalls before. Why such a high recommendation over the competition? What do you like about them?

Higher quality, far better performance, tiny fraction of the price, more trustworthy vendor, open source... what's not to like? $100 for a unit that beats the pants off of a $3,000 ASA?

scottalanmiller

There are a number of issues. One is that low end "firewall" vendors are normally garbage. SonicWall, Fortinet, Cisco... they aren't just mediocre, they are actively bad. None of those would I do business with, literally, they aren't vendors I would work with. And their gear has all been problematic and their cost is outrageous.

There are okay vendors in this space, but that's as good as they get. Ubiquiti and Palo Alto are really the only two stand out vendors, Ubiquiti in the firewall space and PA in the UTM space.

bj

ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?

What's a "good" experience? We've found them to be buggy and temperamental and not cost effective. In IT, anything that isn't cost effective is a failure. Like an investment that loses money.

scottalanmiller

In the VoIP space, it's not uncommon to tell customers that it is cheaper to replace a SonicWall with a Ubiquiti to improve your network and fix issues than it is just to tweak the SW that is already there to get it to work. You can replace a SW for less than you can manage one.

bj

Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.

s.hackleman

I used to use Watchguard and was happy with the results, but somewhat pricey.

scottalanmiller

@bj said in Firewalls, the good, the bad, and the ugly.:

Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.

It's important to note that the run ins are mostly because their defaults are broken for the VoIP space (they actually put in options that outright break VoIP traffic and turn them on by default!!) and I work in that space often, and the other major issues are in poor documentation and hidden featuers. SW isn't "bad", but since it costs more than Ubiquiti and doesn't work "as well", in business terms that's a failure.

That would be like if your Ford cost more than your Ferrari. It doesn't mean the Ford becomes worse, but at that price, it's insane to ever buy it and choosing it wouldn't be a good business option. It makes sense because it's cost effective.

scottalanmiller

SW are problems often enough, though, that when talking to people with VoIP audio issues, the first question we always ask is "you have a SonicWall, don't you" and something like 90% of the time, VoIP networking issues have been because they used a SonicWall. And it's always fixable, but I don't trust their engineers as they're clearly not capable of handling the basics.

bj

So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
https://en.wikipedia.org/wiki/Ubiquiti_Networks
"In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]

While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."

Did you run into this? Was it as bad as it sounds?

JaredBusch

I hate having a UTM on my firewall.

If you want a UTM, then setup something inside your network and properly setup your workstations to proxy through it.

I also generally dislike UTM in the first place, but some people just have to have it.

My number one router recommendation for any SMB is the Ubiquiti EdgeMax Router LITE (ERL).

For people that absolutely require paying stupid money for UTM-esque features, I will tell them to go with WatchGuard, but I can also tell you I have zero clients that went that route.

JaredBusch

@Mods please add tags.

bj

@JaredBusch With a recommendation like that, I can't believe none of them chose UTM!

bj

@JaredBusch, but I hear you. UTM definitely adds complications to the network, and with complication comes potential for problems.