Why Are UTMs Not Recommended Generally
-
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
Is this the ideal model?
So there is no totally accepted placement here, but I'm of the mind and I believe Cisco is as well, that your IDS is best after your edge router (inside of it) rather than outside. You don't want your IDS busy tracking all that worthless traffic out there, you only want it to see the stuff your firewall isn't blocking.
Missing from your diagram is other UTM functions like Network AV or Web Proxy, those would potentially be inline between the router and the switch as well. Not always, but optionally.
But yes, in the general sense, you have the idea...
Internet -> Firewall -> IDS -> AV, Proxy, etc. -> Switching
-
@dave247 said in Why Are UTMs Not Recommended Generally:
Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?
The first decision point is.... do you really get value from security features beyond those of a good firewall?
If yes, then which ones specifically?
Then you'd find ways to get those specific features.
-
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
-
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
usually with proper VM acting as content filters/proxies
-
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.
-
@scottalanmiller SAMIT video?
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?
The first decision point is.... do you really get value from security features beyond those of a good firewall?
If yes, then which ones specifically?
Then you'd find ways to get those specific features.
BTW, what would be a good firewall anyway? Like every time I look up firewall, all I find is UTM
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.
SonicWall is crap. Sophos and Watchguard are meh.
Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.
Not disagreeing but I'm looking for some real life examples. Simply saying one is crap or cheap, or better from a top level when others are more expensive or less expensive (I know, price not relevant for quality) doesn't cut it.
What's a real life scenario where SonicWall is crap and Palo alto wins?
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@dave247 said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.
SonicWall is crap. Sophos and Watchguard are meh.
Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.
Can you explain your reasoning a little more in depth? I've had mostly good experience with SonicWall..
Define good experiences. One of the problems with UTMs is that they do things that often have negative outcomes, but seem positive. They are part of what is known as security theater. They encourage false fears, and provide false results that seem to protect you against things that generally aren't really threats. It's very difficult to really find value in them, but it's easy to perceive it.
Not that they have zero value, they can have benefits. But those benefits are generally extremely nominal, while they are costly to acquire and costly to maintain.
Our appliance has protected us from various threats (IDS/IPS, Gateway AV, etc), monitoring and alerting have been nice, firewall configuration is easy, support is really good, etc.
So these are the things that I mean. How do you know that it has protected you from something? The only way to know this is for the UTM to claim it. But that's not a good measure. Those of us without UTMs are generally protected from those same things without having a UTM. So while it's essentially impossible to prove, all evidence suggests that the threats it protected you against aren't real world threats at all. You don't need an IDS or Gateway AV to protect you from them. Your normal every day $100 firewall generally blocks all that stuff already. What it doesn't block, your OS normally does, what it doesn't, the OS AV does. UTMs famously report on all kinds of things we normally ignore because they aren't really threats. That's the security theater we are talking about. Not only do they produce a panic reaction by making your network seem under attack more than it really is, they also make it seem like they are what is protecting you. When in reality, they normally do absolutely nothing of consequence.
Monitoring and alerting is "nice", but how often was it useful? What kind of monitoring are you getting? Our non-UTMs alert to basic stuff, too.
I've worked with SonicWall, if that's what you call easy, you need to check out some other stuff. It's not terrible, but I wouldn't call it good. SonicWalls cost at least double in time to set up compared to lower cost gear. That they are time waster is specifically one of the issues we typically have with them. They require more time and effort than other options. This is generally true for all UTMs, to do what they do, they require more input.
I agree here. You're going to see the utm doing more if it's the first hit. But also, I see so much that the OS and AV blocks that the Utm let's through.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
I think he means you have different phisically separated LANs
-
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
We've been doing this since the dawn of the web, UTMs are newcomers. Squid Proxy is the simplest "on your network" solution. Hosted DNS filters like pi-hole are the simplest "outside your network" solution. All kinds of ways. You can do it with your internal DNS, too. Depends on your goals.
But the first question is always.... does this really serve a business function? Content filtering can be handy, but typically undermines the business. Like most things, there is a time and a place for it, but most companies do it to prove to employees that they control them, not for any business goals.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.
It should never, ever be on the edge. Having it on the edge doesn't provide the peace of mind you are envisioning, that's part of the smoke and mirrors of UTM sales. You don't even need it on your network to get that. It just has to be inline in your web processing pipeline.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?
The first decision point is.... do you really get value from security features beyond those of a good firewall?
If yes, then which ones specifically?
Then you'd find ways to get those specific features.
BTW, what would be a good firewall anyway? Like every time I look up firewall, all I find is UTM
That's because that's where all of the marketing dollars go. Firewalls aren't things that people really search for anymore. And most people now just call them routers, because in the IT market since the 1990s, all routers are firewalls, and all firewalls are routers, so people sell them randomly as either. The higher end, the more likely to be called a router.
Most popular around here is Ubiquiti EdgeRouters.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.
Basically it works this way....
If you have VLANs to separate your LANs, you can do it all on one port.
If you have physical port separation for your LANs, you have no purpose for VLANs.
VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
@hobbit666 said in Why Are UTMs Not Recommended Generally:
I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?
Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.
It should never, ever be on the edge. Having it on the edge doesn't provide the peace of mind you are envisioning, that's part of the smoke and mirrors of UTM sales. You don't even need it on your network to get that. It just has to be inline in your web processing pipeline.
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. If we are blocking all porn and gambling categories, then this ensures that nothing in our network will ever get to those sites. It's simple positioning.
And then on this subject, having a UTM is nice because with Sophos, for example, you have systems with agents on them and then you can put users/machines in various groups and apply different web and application white-lists against them.
-
@Obsolesce said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):
@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.
SonicWall is crap. Sophos and Watchguard are meh.
Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.
Not disagreeing but I'm looking for some real life examples. Simply saying one is crap or cheap, or better from a top level when others are more expensive or less expensive (I know, price not relevant for quality) doesn't cut it.
What's a real life scenario where SonicWall is crap and Palo alto wins?
Have you ever had to setup a SonicWall? Terrible, time consuming, interface compared to a basic firewall. It takes way longer top figure out what's going on because of all the extra steps compared to a standard firewall/router. I can have a VyOS system up and running in a half hour, with a system anyone else can look at the config and understand what's going on. SonicWall, not so much.
I don't have any experience with PaloAlto, but I'd assume it's along the same lines as SonicWall, just because it had to do all the things.
It's faster for me to setup and configure the needed network services separately than a SonicWall.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.
Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.
You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
If we are blocking all porn and gambling categories, then this ensures that nothing in our network will ever get to those sites. It's simple positioning.
The position has nothing to do with it. That comes from being in the pipeline.