Firewalls, the good, the bad, and the ugly.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:
With rare exception, the only firewall I recommend is Ubiquiti.
I haven't used Ubiquiti for firewalls before. Why such a high recommendation over the competition? What do you like about them?
Higher quality, far better performance, tiny fraction of the price, more trustworthy vendor, open source... what's not to like? $100 for a unit that beats the pants off of a $3,000 ASA?
-
There are a number of issues. One is that low end "firewall" vendors are normally garbage. SonicWall, Fortinet, Cisco... they aren't just mediocre, they are actively bad. None of those would I do business with, literally, they aren't vendors I would work with. And their gear has all been problematic and their cost is outrageous.
There are okay vendors in this space, but that's as good as they get. Ubiquiti and Palo Alto are really the only two stand out vendors, Ubiquiti in the firewall space and PA in the UTM space.
-
ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?
-
@bj said in Firewalls, the good, the bad, and the ugly.:
ASAs are highly over priced. What about some of the other lower cost ones? In particular, SonicWall. Like @Tim_G, I've had fairly good experiences with SonicWall, even if they are a bit... simplistic?
What's a "good" experience? We've found them to be buggy and temperamental and not cost effective. In IT, anything that isn't cost effective is a failure. Like an investment that loses money.
-
In the VoIP space, it's not uncommon to tell customers that it is cheaper to replace a SonicWall with a Ubiquiti to improve your network and fix issues than it is just to tweak the SW that is already there to get it to work. You can replace a SW for less than you can manage one.
-
Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.
-
I used to use Watchguard and was happy with the results, but somewhat pricey.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
Interesting. I haven't had that experience, but I'm not particularly here to talk about my experiences so much as to hear other people's experiences. It sounds like you've had some rough run-ins with sonicwall, and that counts for something.
It's important to note that the run ins are mostly because their defaults are broken for the VoIP space (they actually put in options that outright break VoIP traffic and turn them on by default!!) and I work in that space often, and the other major issues are in poor documentation and hidden featuers. SW isn't "bad", but since it costs more than Ubiquiti and doesn't work "as well", in business terms that's a failure.
That would be like if your Ford cost more than your Ferrari. It doesn't mean the Ford becomes worse, but at that price, it's insane to ever buy it and choosing it wouldn't be a good business option. It makes sense because it's cost effective.
-
SW are problems often enough, though, that when talking to people with VoIP audio issues, the first question we always ask is "you have a SonicWall, don't you" and something like 90% of the time, VoIP networking issues have been because they used a SonicWall. And it's always fixable, but I don't trust their engineers as they're clearly not capable of handling the basics.
-
So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
https://en.wikipedia.org/wiki/Ubiquiti_Networks
"In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."
Did you run into this? Was it as bad as it sounds?
-
I hate having a UTM on my firewall.
If you want a UTM, then setup something inside your network and properly setup your workstations to proxy through it.
I also generally dislike UTM in the first place, but some people just have to have it.
My number one router recommendation for any SMB is the Ubiquiti EdgeMax Router LITE (ERL).
For people that absolutely require paying stupid money for UTM-esque features, I will tell them to go with WatchGuard, but I can also tell you I have zero clients that went that route.
-
@Mods please add tags.
-
@JaredBusch With a recommendation like that, I can't believe none of them chose UTM!
-
@JaredBusch, but I hear you. UTM definitely adds complications to the network, and with complication comes potential for problems.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
@JaredBusch With a recommendation like that, I can't believe none of them chose UTM!
Clients get a client version of "that is a f***ing stupid idea"
But you are posting here, so I assume that you are in IT and sugar coating shit among peers is one of the last things I do.
-
@JaredBusch, I appreciate that. I just thought it was funny.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
https://en.wikipedia.org/wiki/Ubiquiti_Networks
"In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."
Did you run into this? Was it as bad as it sounds?
Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.
-
@travisdh1 said in Firewalls, the good, the bad, and the ugly.:
@bj said in Firewalls, the good, the bad, and the ugly.:
So, I'm not familiar with Ubiquity much... they seem fairly new to the scene. I was just reading up on them and came across this:
https://en.wikipedia.org/wiki/Ubiquiti_Networks
"In 2013, it was discovered that there was a security issue in the version of the U-Boot boot loader shipped on Ubiquiti's devices. It was possible to extract the plaintext configuration from the device without leaving a trace using Trivial File Transfer Protocol (TFTP) and an Ethernet cable, revealing information such as passwords.[4]While this issue is fixed in current versions of Ubiquiti hardware, despite many requests and acknowledging that they are using this GPL-protected application, Ubiquiti refuses to provide the source code for the GNU General Public License (GPL)-licensed U-Boot.[5][6] This made it impossible (in practical terms) for Ubiquiti's customers to fix the issue."
Did you run into this? Was it as bad as it sounds?
Yes, they had a security issue on some stuff that was so old it wasn't supported anymore. Ubiquiti has been around for quite a while.
Not exactly correct.
Ubiquiti's issues revolved around their AirOS line of equipment. The EdgeMax line has never had any type of issue like that.
I believe that AirOS was update to a new version and all the problems relate to an older version for discontinued hardware that Ubiquiti refused to backport and continue to support.
-
I agree the Ubiquity stuff is great for a basic firewall:
https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf
But if you want some of the advanced capabilities like gateway antivirus and such, SonicWALL has always been excellent in my own experience:
-
@bj said in Firewalls, the good, the bad, and the ugly.:
h security and high availability are important to us, but of course cost is always a consideration as well. What would you choose?
What are your security requirements? I have been a big proponent of Sonicwalls as I use them a lot and have been great for me. I do have to agree in terms of the VOIP where the "Enable Consistent NAT" is not checked on the Sonicwall and UDP timeout to 30 seconds by default causes problems with calls.
I use the Security Gateway Service subscription for GAV, Content Filtering and App Control. You can do DPI-SSL and so forth but again that all depends on the security requirements.