Ad blocking/web filtering - UTM
-
What is your opinion ML'ers - worth it or not?
The primary source of things like Crypto-Locker and the like are phishing/spam email and malicious ads. The ad networks these days don't host the ads, nor bother to scan most of them before providing them to end user customers.
On one hand I want to provide more protection to my network, but at the same time it's such a fluid moving target I'm not sure it's practical or really possible.
Thoughts?
-
I've learned my lesson in the past. I probably won't put another UTM in. You can save money and have better protection by separating roles.
You could get an in-expensive router, and host an open source proxy (squid-cache comes to mind) in a virtual machine which takes up very few resources then make that the default gateway for the network. That should offer some protection. Additionally a good end-point security solution should cover some of the other threats.
-
What protection does squid-cache provide?
What lesson did you learn when you had a UTM running?
I currently have SonicWalls, all that came with UTM, antivirus/webfiltering (I scanned for viruii - had two false positives over the contract term, and webfiltering only filtered out violence and porn). This didn't seem to make a difference on ads, but definitely made things a bit slower.
When it came time to renew the support/maintenance agreement I didn't renew, I didn't/don't think the value was there for it. Not to mention the renewal cost was 90% the cost of the original cost, seemed to high considering I'm not getting any new hardware.
-
@Dashrender said:
What protection does squid-cache provide?
What lesson did you learn when you had a UTM running?
I currently have SonicWalls, all that came with UTM, antivirus/webfiltering (I scanned for viruii - had two false positives over the contract term, and webfiltering only filtered out violence and porn). This didn't seem to make a difference on ads, but definitely made things a bit slower.
When it came time to renew the support/maintenance agreement I didn't renew, I didn't/don't think the value was there for it. Not to mention the renewal cost was 90% the cost of the original cost, seemed to high considering I'm not getting any new hardware.
Squid-cache is proxy service which can do built in filtering. You use this as your default gateway and all internet traffic goes through it. Allowing you to monitor and filter on DNS and IP addresses. You may also want to look at DansGuardian
I've discovered that UTMs (and not just the one I purchased but others that I have experience with) are massively under powered. They do all of that "stuff" but they don't do any of it really that well. In addition if one thing goes wrong then you could potentially have a headache as the entire unit is now not working or has limited functionality.
-
I'll agree with the under powered thing. My 10/10 Mbit pipe with 80 users definitely noticed a slow down when the filter was going.
-
@Dashrender the new 1.8.0 firmware will have some built in functionality for you.
-
That's nice, but what kind of load will that put on the system? The EdgeRouter series devices seem pretty low powered.
-
@Dashrender said:
That's nice, but what kind of load will that put on the system? The EdgeRouter series devices seem pretty low powered.
Seen low powered? Their throughout is one of their claims to fame. What about them is feeling anemic to you?
-
@scottalanmiller said:
Seen low powered? Their throughout is one of their claims to fame. What about them is feeling anemic to you?
The CPU is their issue. Always has been. If a function is is not able to be offloaded, their throughput tanks dramatically.
How much this new DPI stuff will impact the CPU can dramatically impact the performance of any of the EdgeMax devices.
-
Exactly - Sure EdgeRouter devices are great at the functions they have done so far, but the moment we start putting more features, it's only a matter of time before the CPU will be bogged down.
I believe this is what is wrong with the SonicWalls I currently have. Running all that UTM stuff is more than the processor can handle and bogs down the system. Sure, I could buy the next up level device for 2x the cost for what to them is a $10 upgrade (probably less) but this seems ridiculous.
Clearly in the SonicWall situation I'm better off slicing off a piece of my VM infrastructure and setting up a proxy to do filtering, even if I have to pay for the features (and hopefully I'll save some money at the same time).
-
@JaredBusch said:
The CPU is their issue. Always has been. If a function is is not able to be offloaded, their throughput tanks dramatically.
Isn't it a lot more CPU than even pretty beefy Cisco devices? Their CPU is small, but I thought they had a lot more CPU than most devices in the category.
The $95 entry point UBNT device is definitely small. But when comparing to any UTM you can move up to the faster rack mount device and get a lot more horsepower while maintaining the UBNT software and cost benefits.
-
@Dashrender said:
Exactly - Sure EdgeRouter devices are great at the functions they have done so far, but the moment we start putting more features, it's only a matter of time before the CPU will be bogged down.
I agree, but that happens to all UTMs. Comparing routing to routing only, the UBNT devices are normally some of the fastest around (their claim to fame is at $300 beating Cisco at $3,000 in performance.)
-
@scottalanmiller said:
Isn't it a lot more CPU than even pretty beefy Cisco devices? Their CPU is small, but I thought they had a lot more CPU than most devices in the category.
Never compared the two, so I do not know. I was not comparing UBNT to anything. Just noting the known CPU issues with their platform. I realize all systems with UTM functionality will have some type of issue like this.
The $95 entry point UBNT device is definitely small. But when comparing to any UTM you can move up to the faster rack mount device and get a lot more horsepower while maintaining the UBNT software and cost benefits.
This is very true.
-
What about running a UTM in a VM? At least you can vertically scale if needed.
-
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
-
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Why would dom0 be public facing?
-
@Dashrender said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Why would dom0 be public facing?
I was guessing. The nic drivers are loaded in dom0 so does that give it an attack point even though the VM is the only one really using the interface?
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
What about running a UTM in a VM? At least you can vertically scale if needed.
Of course that's an option and you get "unlimited" power in that way. But having your firewall on a VM, unless it is on a one to one dedicated piece of hardware, is generally not ideal. It basically requires that an attacker already be on your network before facing the firewall. In nearly all cases, I would recommend that you stick with the physical firewall for mainline security and put the non-routing / non-firewall scanning functions onto a VM instead.
Oh OK. I did it at home playing around. The UTM was the only VM with access to the WAN nic but I guess the dom0 is still public facing then? Never thought about that.
Could be, but shouldn't be. But the physical access still exists no matter what you expose to it.