Pfsense instead SonicWall ?
-
Gateway AV, DPI, IDS, IPS
-
@wrx7m said:
Let's say you set up an EdgeRouter, what would you guys recommend for the additional services that a UTM platform would normally provide?
Standard recommendation is that those things don't belong on a firewall and should be either handled by another device or should not exist at all (much of the time they are negatives and sold via hype... most have their place but are not very commonly recommended.)
-
@wrx7m said:
Gateway AV, DPI, IDS, IPS
I've never seen Gateway AV work... but I Squid can also do this with some addons.
-
@scottalanmiller Interesting. So you would just go with endpoint protection after the router/firewall?
-
@wrx7m said:
@scottalanmiller Interesting. So you would just go with endpoint protection after the router/firewall?
Yes, in nearly all cases. AV on the firewall means huge network delays or tons of processing power needed at the end and it is rarely effective. If you are investing tens of thousands in Palo Alto gear, that's different. But other than that, I wouldn't even consider it.
-
I'm a big believer that the UTM concept is hype. I want my router to be a router, not be an all in one device like I'm a home user. All functionality should be broken out and should be determined discretely if needed. UTMs are sold almost exclusively based on marketing, not a need driving a search for a solution.
-
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
-
@coliver said:
@wrx7m said:
Gateway AV, DPI, IDS, IPS
I've never seen Gateway AV work... but I Squid can also do this with some addons.
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives. I definitely like the thought behind it.. not sold one way or the other in practice though.
-
Plus Scott is a big believer in the LANless approach. Don't trust the network you're own.. create your own security through other means, like endpoint to server SSL, etc.
-
@wrx7m said:
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.
-
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
-
@scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.
-
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
-
@scottalanmiller said:
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
False positives happen even on end points - so....
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
I agree!
-
@scottalanmiller said:
@Dashrender said:
I definitely like the thought behind it.. not sold one way or the other in practice though.
If it introduced no latency and had no (or effectively no) false positives and was very cost effective I'd like the idea, too. But there is really no way to do that and that's the problem.
Oh.. and my false positives was once during my 3 year contract...
-
@wrx7m said:
@scottalanmiller Right, I understand your point on separating the functions from the firewall, itself.
One of the reasons there for proxy/cache specifically is that you need it to be insanely fast and cache a ton of stuff - so you likely want a massive RAID 0 array with SSD cacheing in front of it with loads of memory and a decent CPU (quad core Xeon for example) to handle it. You can't get 1% of that from any firewall hardware.
And you don't want the proxy getting in the way of non-proxy traffic. Your VoIP, for example, needs to go straight through the firewall not get processed or blocked by the proxy. If the proxy is inside the firewall device, the CPU will be tied up doing that instead of passing RTP packets.
-
@scottalanmiller said:
@wrx7m said:
@scottalanmiller Thanks for the info. What about use of a proxy/application control?
Proxies have their place, and I was using one at home even in the 1990s. Proxying itself is pretty much useless for 95% of businesses, but some need it. But a proxy requires a lot of horsepower and should never be combined with routing. For proxy and cache functions I would also turn to Squid for normal stuff and if you feel that you need to control access (which I generally think is a horrible idea and you should fire everyone if you think you need this) I would use Websense as nothing else even pretends to actually do anything.
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively? Sure there is management but short of standing over everyone's shoulder, I don't see a better way to be able to produce the stats.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You haven't? I have. Both good and bad. I've seen it block bad things and also have false positives.
That description is what we would call not working.
False positives happen even on end points - so....
But not so often that I've seen one in a decade. Definitely happen, but are super rare. And much easier to identify because it is localised to where it happens. Not somewhere distant.
-
@wrx7m said:
I agree with you but how do you know what people are accessing if you aren't monitoring it, at least passively?
I don't want to know what they are accessing. I know of no positive, but tons of negative, results from that. Having that information available doesn't itself cause problems, but it makes problems really easy to have - like not looking at how well people do their jobs and instead looking at what web sites that they go to.
I truly believe that 99.9% of the time, having this information has only negative value. And IT should never want this, management might require it, but it would never be in IT's interest to have to collect this.