Why Are UTMs Not Recommended Generally
-
@dave247 said in Why Are UTMs Not Recommended Generally:
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.
Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.
You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
If we are blocking all porn and gambling categories, then this ensures that nothing in our network will ever get to those sites. It's simple positioning.
The position has nothing to do with it. That comes from being in the pipeline.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.
Basically it works this way....
If you have VLANs to separate your LANs, you can do it all on one port.
If you have physical port separation for your LANs, you have no purpose for VLANs.
VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.
Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
And then on this subject, having a UTM is nice because with Sophos, for example, you have systems with agents on them and then you can put users/machines in various groups and apply different web and application white-lists against them.
That's a nice feature of Sophos, granted. But isn't from the UTM. You are perceiving a Sophos feature and thinking that it is caused by it being a UTM, but it is not. Sophos, I believe, does that in their non-UTM products, too. And you can definitely do that with non-UTM products outside of Sophos. That you can do it in a UTM, too, is nice as an add on feature to the UTM, but it doesn't change the fact that the UTM is the "lesser way to do it."
Bottom line, it's impossible for a UTM to be better than alternatives from a performance and security standpoint. Anything you can do in a UTM you can do better without a UTM. All UTM features existed in the enterprise before anyone thought that shoving those features into their router was an acceptable practice.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.
Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.
You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.
I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.
It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.
Basically it works this way....
If you have VLANs to separate your LANs, you can do it all on one port.
If you have physical port separation for your LANs, you have no purpose for VLANs.
VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.
Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those.
That's a weird way to do it. What you would normally want is...
- To move to a firewall with a faster interface that can handle your desired workload.
- Use the L3 switch for the ACLs, not the firewall, that's why these exist in the first place. If you have an L3 switch and are doing this, you are missing why you paid for the L3 switch.
- Use trunking to the firewall instead of individual ports for each VLAN.
One of those three, #2 preferably.
Now given how many VLANs you have, I'd recommend a thread to talk about if they are needed. Rule of thumb is that you want to avoid VLANs when possible. If you have devices that need to talk across VLANs, this pretty much tells you that the VLANs aren't right for your needs. There are loads of cases for VLANs, but most places do them when they are not needed and an unneeded VLAN means performance and management overhead that is just wasted resources.
Of course, VLANs become smart when you have more than 2-4K devices on a single subnet.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.
And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.
And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it.
You're diverting again. This was a sub-response about you saying you never put it on the edge. I explained why and then you are back to the UTM argument.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM.
So let me ask you, do you feel that Windows SBS server, where all functions are crammed into a single device rather than being separated out into individual VMs, is smart? Because that was a big trend fifteen years ago, make it "simple" for IT shops that "didn't get it" and it was crap. Performance was crap, stability was crap, everyone who was "stuck in the old ways" laughed at them for being caught up in marketing and hype and not thinking through what they were doing, and eventually the model showed to be so ridiculous that even MS discontinued it.
UTMs require you to do things in a fundamentally unreliable and expensive way. Router hardware is not as reliable, cheap, or performant as your server infrastructure. But it makes loads of money for the VARs and networking companies.
What you see as "stuck in the old ways", we see as "understanding how it works." UTMs aren't a new idea, they are just new on the market. It's a new way to trick people into spending too much (thanks to security theater and security being too confusing for most shops) with by fancy terms and marketing blitzes and hoping that people buying them don't know the history or realize that all of that functionality is something we've had access to, and been doing better for a long time.
Remember, UTMs aren't new, thinking that UTMs are a good idea is new. That's a huge difference.
It's one of the current "buzz words" in IT. Like SAN was ten years ago. Took a few years of fighting, now everyone knows how ridiculous, costly, and risky that trend was. But for many years there, those of us pushing hyperconvergence (the "old" way) were laughed at for not doing what was "new", which neither thing was new.
Then hyperconvergence got the marketing and now it is seen as "new", even though we were pushing it before SANs were popular.
You see UTMs as new. We see them as a bad idea that is very old.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.
Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.
You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.
The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.
And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it.
You're diverting again. This was a sub-response about you saying you never put it on the edge. I explained why and then you are back to the UTM argument.
Right, you shouldn't put it on the edge. You didn't explain why at all. That you think that you did shows that you aren't understanding.
By putting it on the edge it was more costly, and less reliable. So in your example, you feel that you showed why you should do it, but I see it as showing why you shouldn't because you got not features or benefits from placing it at the edge, only caveats.
-
@Obsolesce said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.
Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.
You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.
The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad.
That's what they said about SBS. "Managers" who don't understand IT stuff and go from airport marketing blitzes do these crazy things because they don't understand cost, best practices, common sense, workload separation, etc.
It's part of the trick of "bundling" that is one of the "predictably irrational" ways that you can manipulate buyers. Buyers perceived bundled products are cheaper and better, even when logic says that they are not. It's similar to the "three option" sales trick, even when you tell someone you are going to do it to them, the trick is so strong that even Harvard MBA students being prepped for it, mostly fall for it anyway.
Bundling is one of those things that IT needs to protect businesses against, because non-technical managers have effectively no defense against it except for deferring decision making to the people who know the stuff. But truly, any manager choosing the tech is incompetent beyond belief, because the one thing he knows for sure, is that he isn't qualified to make the decision.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@Obsolesce said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.
Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.
You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.
The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad.
That's what they said about SBS. "Managers" who don't understand IT stuff and go from airport marketing blitzes do these crazy things because they don't understand cost, best practices, common sense, workload separation, etc.
It's part of the trick of "bundling" that is one of the "predictably irrational" ways that you can manipulate buyers. Buyers perceived bundled products are cheaper and better, even when logic says that they are not. It's similar to the "three option" sales trick, even when you tell someone you are going to do it to them, the trick is so strong that even Harvard MBA students being prepped for it, mostly fall for it anyway.
Bundling is one of those things that IT needs to protect businesses against, because non-technical managers have effectively no defense against it except for deferring decision making to the people who know the stuff. But truly, any manager choosing the tech is incompetent beyond belief, because the one thing he knows for sure, is that he isn't qualified to make the decision.
I agree completely.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.
I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).
Are you talking about having sub-interfaces?
Now from your post on your other thread we know that your setup isn't as it should be for your use case. Granted, I think no one will agree with your use of six VLANs, only two make sense as you described your network, but ignoring that and assuming that the VLANs are staying....
Your traffic link to your router should be a single link that is the same speed as the upward link to the Internet. So GigE most likely. Any additional ports or speed is purely wasted money doing nothing. Traffic going to the router / firewall / UTM should be only traffic heading to or from the Internet, leaving your edge device with more resources to do its job. The firewall can still support the VLANs, it just doesn't route between them.
Then the L3 switch, which must have been purchased for this purpose originally as it is the only purpose of an L3 switch, operates as the firewall and handles any and all traffic between the VLANs inside of itself at switching speed. This not only fixes your GigE uplink problem, and reduces cabling, but increases your VLAN to VLAN speed to that of the switching fabric. You then use the firewall in the switch to handle the ACLs between the VLANs.
Simple, faster, cheaper, as intended.
-
@scottalanmiller said in Why Are UTMs Not Recommended Generally:
@dave247 said in Why Are UTMs Not Recommended Generally:
It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM.
So let me ask you, do you feel that Windows SBS server, where all functions are crammed into a single device rather than being separated out into individual VMs, is smart? Because that was a big trend fifteen years ago, make it "simple" for IT shops that "didn't get it" and it was crap. Performance was crap, stability was crap, everyone who was "stuck in the old ways" laughed at them for being caught up in marketing and hype and not thinking through what they were doing, and eventually the model showed to be so ridiculous that even MS discontinued it.
UTMs require you to do things in a fundamentally unreliable and expensive way. Router hardware is not as reliable, cheap, or performant as your server infrastructure. But it makes loads of money for the VARs and networking companies.
What you see as "stuck in the old ways", we see as "understanding how it works." UTMs aren't a new idea, they are just new on the market. It's a new way to trick people into spending too much (thanks to security theater and security being too confusing for most shops) with by fancy terms and marketing blitzes and hoping that people buying them don't know the history or realize that all of that functionality is something we've had access to, and been doing better for a long time.
Remember, UTMs aren't new, thinking that UTMs are a good idea is new. That's a huge difference.
It's one of the current "buzz words" in IT. Like SAN was ten years ago. Took a few years of fighting, now everyone knows how ridiculous, costly, and risky that trend was. But for many years there, those of us pushing hyperconvergence (the "old" way) were laughed at for not doing what was "new", which neither thing was new.
Then hyperconvergence got the marketing and now it is seen as "new", even though we were pushing it before SANs were popular.
You see UTMs as new. We see them as a bad idea that is very old.
You say UTMs are new here but in another spot you say they aren't new. I'm not surprised. I've read through hundreds of your posts and seen various spots where you contradict yourself. You once argued with me for hours about a router and a firewall being the exact same thing. You spew out vast amount of information in the form of debating and arguing about IT stuff but what it really boils down to is that you are splitting hairs about various IT concepts.
I'm not sure if you do this "for the good of the IT community" or if you're doing it to bolster your own ego. Ether way, you can't seem to have a simple discussion without unpacking a torrent of paragraphs and fragmenting discussion threads in some sort of frighting Scott Alan Miller battle-dance, where you come out the victor because your opponent is forced to yield due to shier exhaustion from all the reading and typing.
I truly understand what you are saying and where you are coming from with a lot of this stuff, but you are just tireless with the discussion.
I'm out.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
You say UTMs are new here but in another spot you say they aren't new. I'm not surprised.
I was SUPER clear on this. They are new "to the market" but not new "as a concept". We just knew better than to use them before. I explained this earlier specifically because I knew you were trying to say we were out of date and trying to make UTMs sound like a new idea, rather than a new trend. And, as I predicted, you ignored that and made the claim anyway.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
. I've read through hundreds of your posts and seen various spots where you contradict yourself.
Link?
-
@dave247 said in Why Are UTMs Not Recommended Generally:
You once argued with me for hours about a router and a firewall being the exact same thing.
And they are. And I've even stated it here. All routers on the market for decades are firewalls, all firewalls on the market are routers. We've covered this. Stating that I said this is weird, since I said it in today's discussion, even.
-
@dave247 said in Why Are UTMs Not Recommended Generally:
You spew out vast amount of information in the form of debating and arguing about IT stuff but what it really boils down to is that you are splitting hairs about various IT concepts.
I think you see "fundamental network architecture and design" as "splitting hairs". This just doesn't work. Thinking your firewall isn't a firewall will lead you to all kinds of mistakes. Not realizing you bought a multi-port router (firewall) and not using it and crippling your network, for example, is one of the results.
Please find an example of where I "split hairs" but it wasn't critical to your understanding of networking? You mention some pretty huge examples of what you call "splitting hairs" but it would seem pretty incredibly obvious that knowing where your firewalls are is anything but splitting hairs. How can you design security if you are being driven by marketing, and not by understanding the network and how security plays into it?
If there is one takeaway from these threads today, one thing of the utmost value, it would be that you see "understanding the network" or "saving money" or "improving security" as "splitting hairs", and these are not. These things are super important, they are the fundamental value that IT ads to an organization. This isn't trivial, this is what gives us our jobs. If we just wanted to "buy whatever is advertised", IT isn't needed for that, management can do that without us. It's cutting through the BS, not allowing marketing hype and buzz words to influence us, knowing how to deploy good technologies, knowing not to deploy bad ones, how to deploy them correctly, etc. that earns IT its keep and gives value to our organizations.
Instead of trying to brush off core IT understanding as "splitting hairs", take a moment and ask yourself... if you don't understand these basics, how can you make effective decisions about your network?
-
This post is deleted!