@scottalanmiller said in Why Are UTMs Not Recommended Generally:

@dave247 said in Why Are UTMs Not Recommended Generally:

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

@dave247 said in Why Are UTMs Not Recommended Generally:

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

Are you talking about having sub-interfaces?

VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.

Basically it works this way....

If you have VLANs to separate your LANs, you can do it all on one port.

If you have physical port separation for your LANs, you have no purpose for VLANs.

VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.

Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those.

That's a weird way to do it. What you would normally want is...

1. To move to a firewall with a faster interface that can handle your desired workload.
2. Use the L3 switch for the ACLs, not the firewall, that's why these exist in the first place. If you have an L3 switch and are doing this, you are missing why you paid for the L3 switch.
3. Use trunking to the firewall instead of individual ports for each VLAN.

One of those three, #2 preferably.

Now given how many VLANs you have, I'd recommend a thread to talk about if they are needed. Rule of thumb is that you want to avoid VLANs when possible. If you have devices that need to talk across VLANs, this pretty much tells you that the VLANs aren't right for your needs. There are loads of cases for VLANs, but most places do them when they are not needed and an unneeded VLAN means performance and management overhead that is just wasted resources.

Of course, VLANs become smart when you have more than 2-4K devices on a single subnet.

Yeah, I already know about your input on this stuff. We use VLANs to segregate things, and we don't really have that many. We have one for corp wifi, guest wifi, VoIP and then the default untagged VLAN 1. I do plan to add one more for workstations to segregate them from the servers for the sake of security. The idea is to separate thins into groups (VLANs) and then apply ACLs in order to control what flows back and forth.

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

@dave247 said in Why Are UTMs Not Recommended Generally:

I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.

And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it.

You're diverting again. This was a sub-response about you saying you never put it on the edge. I explained why and then you are back to the UTM argument.

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

@dave247 said in Why Are UTMs Not Recommended Generally:

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.

Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.

You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.

I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.

It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM.

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

@dave247 said in Why Are UTMs Not Recommended Generally:

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

Are you talking about having sub-interfaces?

VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.

Basically it works this way....

If you have VLANs to separate your LANs, you can do it all on one port.

If you have physical port separation for your LANs, you have no purpose for VLANs.

VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.

Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those.

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

@dave247 said in Why Are UTMs Not Recommended Generally:

@hobbit666 said in Why Are UTMs Not Recommended Generally:

I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?

Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.

It should never, ever be on the edge. Having it on the edge doesn't provide the peace of mind you are envisioning, that's part of the smoke and mirrors of UTM sales. You don't even need it on your network to get that. It just has to be inline in your web processing pipeline.

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. If we are blocking all porn and gambling categories, then this ensures that nothing in our network will ever get to those sites. It's simple positioning.

And then on this subject, having a UTM is nice because with Sophos, for example, you have systems with agents on them and then you can put users/machines in various groups and apply different web and application white-lists against them.

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

Are you talking about having sub-interfaces?

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

@dave247 said in Why Are UTMs Not Recommended Generally:

Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?

The first decision point is.... do you really get value from security features beyond those of a good firewall?

If yes, then which ones specifically?

Then you'd find ways to get those specific features.

BTW, what would be a good firewall anyway? Like every time I look up firewall, all I find is UTM

@hobbit666 said in Why Are UTMs Not Recommended Generally:

I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?

Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.

@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

Also worth noting, while very light, there are some UTM features in most firewalls today.

UBNT for example, has DPI filtering rules that can be used. Most of us don't use the, but they exist.

https://help.ubnt.com/hc/en-us/articles/218732788

Nothing like a full IDS or Network AV, but will fit some peoples' needs.

Cool, thanks for the info.

Is this the ideal model?

@scottalanmiller said in Why Are UTMs Not Recommended Generally:

The only way to know that a UTM is providing any value is to run a crazy setup where you have a UTM on one path and a firewall on another and find a way to replay all attacks and see if what the UTM flags is actually something that would have gotten you with the other.

It's not that UTMs don't provide some value, they certainly do. But they come with loads of caveats. And basically they fall into a horrible middle ground.

Basically....

95% of companies have zero need for IDS, Edge AV, Monitoring, etc. so the cost and effort of setting up and maintaining the UTMs is just wasted funds - basically the equivalent of a small breach (cost is cost, however it happens.)

Of the 5% of companies that really need extreme security, UTMs are a terrible methodology for delivering it. The UTM is the "Small Business Server" of networks. Everyone knows it's in violation of all basic security and stability best practices, but it's cheap and convenient compared to doing it the "right way" so we ignore that it's "bad practice security". For companies where extreme security really matters for real, you can't use a UTM because it's such a bad idea. You use a normal firewall plus you have the "UTM" functionality run as part of the normal enterprise infrastructure with best of breed components in place for each piece, not just everything lumped together on a cheap piece of router hardware. We wouldn't treat out normal IT workloads like this, but since UTMs are really just smoke and mirrors, no one really cares that we aren't treating the components there like serious workloads.

Real world use of UTMs basically falls into a minuscule range of companies that somehow need more security than standard firewalls, AV, and security practices provide "for cheap", but don't quite warrant a really serious setup of separate security components. So maybe .1% of companies might actually have a UTM be a proper business decision for them (just how one in 1,000 shops actually had MS SBS server be the right choice for them) - but of those, nearly all would need Palo Alto level gear.

Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?

What I mean is, right now we have several networks (like 6) converged through our SonicWall ports with ACLs. If I split those up, I could use a router to converge the networks, but I would need a router with enough ports - that or use a L3 switch. I feel like I never see a router with more than 2 ports (unless it has add-in cards). I could have a router for each network but then that would be a lot of hardware.

Then, for the IDS/IPS and white-listing and metrics and all that, I would have to find separate products and connect them all appropriately. I can see the cost of going this route probably being a lot more that what we pay for the SonicWall UTM, but still, I would strongly consider it if it could truly be a better system setup.

@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@dave247 said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.

SonicWall is crap. Sophos and Watchguard are meh.

Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.

Can you explain your reasoning a little more in depth? I've had mostly good experience with SonicWall..

Define good experiences. One of the problems with UTMs is that they do things that often have negative outcomes, but seem positive. They are part of what is known as security theater. They encourage false fears, and provide false results that seem to protect you against things that generally aren't really threats. It's very difficult to really find value in them, but it's easy to perceive it.

Not that they have zero value, they can have benefits. But those benefits are generally extremely nominal, while they are costly to acquire and costly to maintain.

Our appliance has protected us from various external threats (IDS/IPS, Gateway AV, etc), monitoring and alerting have been nice, firewall configuration is easy, support is really good, etc.

@scottalanmiller said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.

SonicWall is crap. Sophos and Watchguard are meh.

Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.

Can you explain your reasoning a little more in depth? I've had mostly good experience with SonicWall..

@JaredBusch said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.

SonicWall is crap. Sophos and Watchguard are meh.

Uh, ok? Our SonicWall has been great for the most part. We've had issues here and there just like with anything else, but it's met our needs quite a bit. Is there some specific reason you say SonicWall is crap and Sophos is "meh"?

@dbeato said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

@dave247 said in Considering moving from SonicWall to Sophos XG (Looking for feedback on Sophos):

So as the title says, we use SonicWALL firewall/UTM at our company. It's really nice and we make good use of it between the various security services, but it still seems to lack some of the functionality we are looking for. We did a little bit of research and Sophos XG looks like it might be a really good fit for us as a firewall/UTM, and we would also be using their endpoint protection services well.

I was just wondering if anyone had any experience with Sophos XG and could offer some input/ feedback. Was there anything unexpectedly negative about it? How is support?

We did have a product demo and everything looked really good but I'm still looking around for various bits of feedback from actual customers.

I am a reseller of Sophos so I am a little bias on this as I have used both. The Sophos XG are more expensive but they integrate with their AP and other products to apply and contain the infections.

I would also check out Palo Alto as well.

I asked some other folks in a different online community and some of the feedback I got was good but then I had some people comment that the integrated wifi and the support were not very good (at least in their experience).

So as the title says, we use SonicWALL firewall/UTM at our company. It's really nice and we make good use of it between the various security services, but it still seems to lack some of the functionality we are looking for. We did a little bit of research and Sophos XG looks like it might be a really good fit for us as a firewall/UTM, and we would also be using their endpoint protection services well.

I was just wondering if anyone had any experience with Sophos XG and could offer some input/ feedback. Was there anything unexpectedly negative about it? How is support?

We did have a product demo and everything looked really good but I'm still looking around for various bits of feedback from actual customers.

@pete-s said in Questions on redundant switch setup:

@dave247 said in Questions on redundant switch setup:

@pete-s said in Questions on redundant switch setup:

@jaredbusch said in Questions on redundant switch setup:

@dave247 said in Questions on redundant switch setup:

@pete-s

What kind of firewall and switches are you running?

One option: if you're switches have stacking, then you can put them in a single stack and then create a port group that spans the two switches and then connect that to your NIC teams on the other end. This guards against switch failure, switchport failure, server NIC port failure, Ethernet cable failure, etc..

This adds a level of complexity that you don't have to deal with when using a simple team. But the plus side is higher bandwidth per connected server.

The "switch independant team" what bonding mode is that in linux? Is it mode 1, active/backup policy?

You will have to look at your individual network card's drivers and management software with regards to Linux. AKA, read the manual. My guess is that you're running Broadcom NICs and the management software that I've seen/used is called "Broadcom Advanced Control Suite 4" and the "switch independent mode" or team type is called, "Smart Load Balancing and Failover (SLB)".

I'm all Intel on the NIC side in this case as Supermicro is predominately intel NICs and they are very well supported both in freebsd and linux.

Contrary to Windows, linux actually have bonding of different types in the kernel (a module called bonding). So the drivers don't have to do bonding.

oh nice. I have no idea. I haven't done much with Linux lately. Still, I would read the NIC documentation as it pertains to Linux.

@pete-s said in Questions on redundant switch setup:

@jaredbusch said in Questions on redundant switch setup:

@dave247 said in Questions on redundant switch setup:

@pete-s

What kind of firewall and switches are you running?

One option: if you're switches have stacking, then you can put them in a single stack and then create a port group that spans the two switches and then connect that to your NIC teams on the other end. This guards against switch failure, switchport failure, server NIC port failure, Ethernet cable failure, etc..

This adds a level of complexity that you don't have to deal with when using a simple team. But the plus side is higher bandwidth per connected server.

The "switch independant team" what bonding mode is that in linux? Is it mode 1, active/backup policy?

You will have to look at your individual network card's drivers and management software with regards to Linux. AKA, read the manual. My guess is that you're running Broadcom NICs and the management software that I've seen/used is called "Broadcom Advanced Control Suite 4" and the "switch independent mode" or team type is called, "Smart Load Balancing and Failover (SLB)".

@pete-s said in Questions on redundant switch setup:

@dave247 Thanks Dave, looks like a good solution.

I don't have any switches yet so any recommendations on what to get?

Regarding the firewall, I'm leaning toward software based firewalls, like pfsense (freebsd) or vyos (linux) - mainly for performance reasons (openpvn) and flexibility.

I think the Dell N series switches are great. We use a bunch of Dell N3048s where I work but I think they might be a bit over-kill. They have a lot of features we likely wont ever use. I would suggest looking at the Dell N2000 series depending on your needs. Do some reading on how they stack and their other features.

Here's info on the N1100 series and at he bottom right of that page are white-sheets on the various other models.

I've used pfSense before and I think it's pretty good. You would have a lot more flexibility with how you set up your interfaces if you build out a custom system. Or are you buying one of their appliances?

@pete-s

What kind of firewall and switches are you running?

One option: if you're switches have stacking, then you can put them in a single stack and then create a port group that spans the two switches and then connect that to your NIC teams on the other end. This guards against switch failure, switchport failure, server NIC port failure, Ethernet cable failure, etc..