Home Network Firewall Options

Dashrender

@wirestyle22 said:

Are you guys using actual server hardware to make the devices to fill those roles?

Why are you worrying about those holes in the first place?

wirestyle22

@Dashrender said:

@wirestyle22 said:

Are you guys using actual server hardware to make the devices to fill those roles?

Why are you worrying about those holes in the first place?

I'm not. I'm just curious if actual server hardware would be required for my own knowledge

travisdh1

@wirestyle22 said:

@Dashrender said:

@wirestyle22 said:

Are you guys using actual server hardware to make the devices to fill those roles?

Why are you worrying about those holes in the first place?

I'm not. I'm just curious if actual server hardware would be required for my own knowledge

They're all virtual right? So what does it matter, hardware agnostic. That said, a solid server box is definitely preferred.

wirestyle22

@travisdh1 said:

@wirestyle22 said:

@Dashrender said:

@wirestyle22 said:

Are you guys using actual server hardware to make the devices to fill those roles?

Why are you worrying about those holes in the first place?

I'm not. I'm just curious if actual server hardware would be required for my own knowledge

They're all virtual right? So what does it matter, hardware agnostic. That said, a solid server box is definitely preferred.

What if the company has a ton of remote sites like mine? Wouldn't that be a pretty big cost?

travisdh1

@wirestyle22 said:

@travisdh1 said:

@wirestyle22 said:

@Dashrender said:

@wirestyle22 said:

Are you guys using actual server hardware to make the devices to fill those roles?

Why are you worrying about those holes in the first place?

I'm not. I'm just curious if actual server hardware would be required for my own knowledge

They're all virtual right? So what does it matter, hardware agnostic. That said, a solid server box is definitely preferred.

What if the company has a ton of remote sites like mine? Wouldn't that be a pretty big cost?

Only if you have a reason to need one at every site. If you get to a LANless design then you don't really need the security appliances at every location, and if you're still running traditional LAN and VPN then you only need the one at the head office.

Dashrender

@travisdh1 said:

Only if you have a reason to need one at every site.

In other words - only if you need those UTM services at every site.

If you get to a LANless design then you don't really need the security appliances at every location,

I still really like the idea of a hardware firewall (though I suppose a firewall VM would be fine) between you and the internet whenever possible.

and if you're still running traditional LAN and VPN then you only need the one at the head office.

This assumes you have the bandwidth to bring all internet traffic back to the home office for filtering before going out to the internet. I don't know anyone who does that anymore.

Dashrender

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

wirestyle22

@Dashrender said:

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

Not at every site. What I'm going to do is install a Squid proxy at one specific location because we have two client computer labs there. It's extremely vulnerable with the developmentally disabled clicking on anything and everything--not that I would expect anything but that in this situation. So I basically block everything except YouTube and a few educational websites that they use daily. I do this only for their computers and have standard content policies in place for the others.

I'm getting rid of my Sonicwalls in favor of Ubiquiti Security Gateways but I lose content filtering basically.

Dashrender

@wirestyle22 said:

@Dashrender said:

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

Not at every site. What I'm going to do is install a Squid proxy at one specific location because we have two client computer labs there. It's extremely vulnerable with the developmentally disabled clicking on anything and everything--not that I would expect anything but that in this situation. So I basically block everything except YouTube and a few educational websites that they use daily. I do this only for their computers and have standard content policies in place for the others.

I'm getting rid of my Sonicwalls in favor of Ubiquiti Security Gateways but I lose content filtering basically.

yep - I was in the same boat 4 months ago. Though - just wondering, why the USGs vs the ERLs?

Jason

@NETS said:

@scottalanmiller said:

@NETS said:

So without a UTM device how are you monitoring the network and locking down the traffic?

1. What is the actual need here? A firewall already monitors and locks down the traffic. Those are not UTM functions.
2. With a UTM, how are you doing it?

I look at UTM's as a single device that can easily secure and monitor and a variety of network traffic with minimal effort. Running a regular ERX works but you lose the malware, mail filtering and IPS features of a UTM. Sure there are other methods of gaining those features back but not on a single box. For SMB that single box is a big sell.

If you use a Edge router how are you adding back in the other security features that a UTM or Nextgen firewall offers?

Why are you filtering mail at the firewall anyway?. Even with onsite mail cloud based email filter is way more powerful at detecting things.

wirestyle22

@Jason said:

@NETS said:

@scottalanmiller said:

@NETS said:

So without a UTM device how are you monitoring the network and locking down the traffic?

1. What is the actual need here? A firewall already monitors and locks down the traffic. Those are not UTM functions.
2. With a UTM, how are you doing it?

I look at UTM's as a single device that can easily secure and monitor and a variety of network traffic with minimal effort. Running a regular ERX works but you lose the malware, mail filtering and IPS features of a UTM. Sure there are other methods of gaining those features back but not on a single box. For SMB that single box is a big sell.

If you use a Edge router how are you adding back in the other security features that a UTM or Nextgen firewall offers?

Why are you filtering mail at the firewall anyway?. Even with onsite mail cloud based email filter is way more powerful at detecting things.

I inherited all of this stuff. It predates me. I'm making the changes now in the hopes that I am ML compliant one day ^_^

NETS

@Jason said:

@NETS said:

@scottalanmiller said:

@NETS said:

So without a UTM device how are you monitoring the network and locking down the traffic?

1. What is the actual need here? A firewall already monitors and locks down the traffic. Those are not UTM functions.
2. With a UTM, how are you doing it?

I look at UTM's as a single device that can easily secure and monitor and a variety of network traffic with minimal effort. Running a regular ERX works but you lose the malware, mail filtering and IPS features of a UTM. Sure there are other methods of gaining those features back but not on a single box. For SMB that single box is a big sell.

If you use a Edge router how are you adding back in the other security features that a UTM or Nextgen firewall offers?

Why are you filtering mail at the firewall anyway?. Even with onsite mail cloud based email filter is way more powerful at detecting things.

98% of the time we do use some form of cloud based email filtering but if they have the license we also kick on mail filtering in the UTM. While it might be over kill it's caught a few things that we didn't want coming in.

I agree that UTM's are costly and single devices could potentially a better job but from a manageability perspective UTM's make it easier.

wirestyle22

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

Not at every site. What I'm going to do is install a Squid proxy at one specific location because we have two client computer labs there. It's extremely vulnerable with the developmentally disabled clicking on anything and everything--not that I would expect anything but that in this situation. So I basically block everything except YouTube and a few educational websites that they use daily. I do this only for their computers and have standard content policies in place for the others.

I'm getting rid of my Sonicwalls in favor of Ubiquiti Security Gateways but I lose content filtering basically.

yep - I was in the same boat 4 months ago. Though - just wondering, why the USGs vs the ERLs?

I'm open to recommendations of course. Do you think the ERL is a better choice?

Dashrender

@wirestyle22 said:

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

Not at every site. What I'm going to do is install a Squid proxy at one specific location because we have two client computer labs there. It's extremely vulnerable with the developmentally disabled clicking on anything and everything--not that I would expect anything but that in this situation. So I basically block everything except YouTube and a few educational websites that they use daily. I do this only for their computers and have standard content policies in place for the others.

I'm getting rid of my Sonicwalls in favor of Ubiquiti Security Gateways but I lose content filtering basically.

yep - I was in the same boat 4 months ago. Though - just wondering, why the USGs vs the ERLs?

I'm open to recommendations of course. Do you think the ERL is a better choice?

I haven't actually played with a USG yet. They are 20-40 more than an ERL... as far as I can tell... the main difference is the ability to controll the USG with the Ubiquiti Controller software, you can't do that with the EdgeRouter stuff

wirestyle22

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

Not at every site. What I'm going to do is install a Squid proxy at one specific location because we have two client computer labs there. It's extremely vulnerable with the developmentally disabled clicking on anything and everything--not that I would expect anything but that in this situation. So I basically block everything except YouTube and a few educational websites that they use daily. I do this only for their computers and have standard content policies in place for the others.

I'm getting rid of my Sonicwalls in favor of Ubiquiti Security Gateways but I lose content filtering basically.

yep - I was in the same boat 4 months ago. Though - just wondering, why the USGs vs the ERLs?

I'm open to recommendations of course. Do you think the ERL is a better choice?

I haven't actually played with a USG yet. They are 20-40 more than an ERL... as far as I can tell... the main difference is the ability to controll the USG with the Ubiquiti Controller software, you can't do that with the EdgeRouter stuff

I haven't either. I may get one to test though

wirestyle22

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

Not at every site. What I'm going to do is install a Squid proxy at one specific location because we have two client computer labs there. It's extremely vulnerable with the developmentally disabled clicking on anything and everything--not that I would expect anything but that in this situation. So I basically block everything except YouTube and a few educational websites that they use daily. I do this only for their computers and have standard content policies in place for the others.

I'm getting rid of my Sonicwalls in favor of Ubiquiti Security Gateways but I lose content filtering basically.

yep - I was in the same boat 4 months ago. Though - just wondering, why the USGs vs the ERLs?

I'm open to recommendations of course. Do you think the ERL is a better choice?

I haven't actually played with a USG yet. They are 20-40 more than an ERL... as far as I can tell... the main difference is the ability to controll the USG with the Ubiquiti Controller software, you can't do that with the EdgeRouter stuff

Here's a signup for the beta if you're interested and have the tech to use it in the future.

Jason

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

@wirestyle22 said:

@Dashrender said:

I suppose if you really need UTM things at remote locations, then the UTM appliance is the most cost effective way to do this. But the real question is... do you REALLY need it?

Not at every site. What I'm going to do is install a Squid proxy at one specific location because we have two client computer labs there. It's extremely vulnerable with the developmentally disabled clicking on anything and everything--not that I would expect anything but that in this situation. So I basically block everything except YouTube and a few educational websites that they use daily. I do this only for their computers and have standard content policies in place for the others.

I'm getting rid of my Sonicwalls in favor of Ubiquiti Security Gateways but I lose content filtering basically.

yep - I was in the same boat 4 months ago. Though - just wondering, why the USGs vs the ERLs?

I'm open to recommendations of course. Do you think the ERL is a better choice?

I haven't actually played with a USG yet. They are 20-40 more than an ERL... as far as I can tell... the main difference is the ability to controll the USG with the Ubiquiti Controller software, you can't do that with the EdgeRouter stuff

It's suppose to have PBX functionalities at some point too.

JaredBusch

The USG is an all in wonder device. I hate it.

But there is a market for it and I absolutely do not blame Ubiquiti for putting stuff out there.