I am not sure how you want to slice it up, but the 100/100 pipe just wasn't cutting it. When we had a shift change in the shop, people clocking in and out would cause very noticeable slow down across the entire network at both sites. If I happened to be running that offsite backup (which was taking something like 150 hours each time), I would get constant complaints. Now, I can see that a lot of it has to do with how we are setup, but changing the router and internet service is a lot quicker than resolving issues with our ERP or how stuff is on the network. So call it a bandaid if you must, but it got us out of some of the immediate issues we were facing, and has allowed me to take a lot more time making sure that when I change everything up, what I am putting in is actually better and not just throwing money at it, hoping the problems will go away

my company has two locations, that are about 10 miles apart. each have ~25 office staff and ~100 shop employees. We are a manufacturing/fabrication company.

My first bad apple is my ERP, which we picked out 4 years ago. As I have learned since, it's not a great one. For reasons that I cannot remember at the moment, it is at one branch. Our file server is located at the other office because at the time, the 2 drive NAS it replaced was at that location, and the majority of our engineers are also at that location. We bought into the myth that we needed MS everything with AD and all that, so I originally had two hosts, one at each location, each with a DC and one of the primary services. At that time, we only had a 10/10 ptp that our nortel PBX required. This was left over from before we had data access between the plants. shortly after getting everyone on the ERP, we discovered that 10/10 was simply not sufficient for the users that have to access it remotely. We setup an RDS server to try and alleviate some of this, but it can only do so much. We then bumped that up to the 100/100 that we still have, and will still have for a while because of contracts. At this point, I also moved my office to the location that has the ERP.

One final thing that is currently in place, but is planned to be removed, is our offsite backups. At the moment, I am required by company policy to make copies of some of the data and take it offsite, to the safe deposit box at the bank. The way I was doing this was and still in very inefficient. I have been copying individual files from all over our systems, and a lot of it coming over the site to site link, to a external SSD. This one step was absolutely killing the network, and was unsustainable. This is actually what prompted my current project, because it was a bad backup plan.

That brings me to where we were a few months ago. I spend the majority of my time dealing with our ERP and other things like that, and I have not had enough time to really learn the best way this should have been setup in the beginning. Because of this, and because I want to make sure that I am not setting us up for failure, we brought in outside help this time, specifically from someone who is not a VAR. We've been lead astray by advice from VARs, and they might share a little of the blame for where I am at now.

Please bear in mind that a lot of our issues were either the direct result of my personal inexperience and decisions about 4 years ago, and my company's overall lack of experience when it comes to how IT should be done. 4 years ago we did not have IT, we had a 2 drive NAS, and that is basically it. To put that into perspective, we literally did not have email access until 2011, which is about a year before I got here. The company I work for is was and to a large degree still is either behind the times, or working from bad assumptions. I will claim my mistakes that were made previously and perhaps more recently and say that a large part of why I am here on ML is to learn where I went wrong, and to try and make a plan for the present and future that is more inline with what would be considered "standard IT practices".

My current setup is such that I've got two primary resources that my users access, and two locations, each about the same size. One resource, the file server, is at one location, and our ERP is at the other. Both sides utilize both resources all day long. We upgraded from a 100/100 ptp ethernet circuit to this because it was constantly saturated. Also, all internet traffic for one location was funneled through said ptp, and exited our other location, because the first did not have its own connection to the outside world. Our setup was far from ideal, which is why it is mostly getting scrapped.

I am also pulling real time backups across this ATM because of a poorly designed (by me) network layout from a few years ago. This is part of the issues we are fixing with my current project.

I've got 25 users connecting to a poorly designed ERP over it. Also sometimes large CAD files being accessed across it.

With all this discussion about linux, what would be a good distro to experiment with if I am coming from purely windows background? I have dabbled with a few different ubuntu versions, but that was several years ago and I did not get very much into it.

But I have taken to heart the information presented here on ML and from conversations with @scottalanmiller and I am going to look into our dependency on MS. Any suggestions on what could be a suitable desktop replacement for my users who only know windows7/10? There are still several workflow areas where I have not found any suitable replacement applications, or other workflow modifications that would allow me to abandon windows, but I need to start evaluating the incorporation of linux where applicable.

The two main workflows we have that I have not found viable solutions for yet are ERP and CAD. The ERP is dependent on both windows and SQL. CAD, specifically both Autocad and Solidworks, are both dependent on windows at this point, but I hear that cloud versions are in development and that may eventually allow both to be run in browsers, removing the windows limitation.

Practically all my users fall into one of those workflows, but I've got to start somewhere.

@scottalanmiller for the sake of this thread, the link shows both ERL and ERPro

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?

ERL does nearly half of what you need...

https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593

ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.

https://dl.ubnt.com/datasheets/edgemax/EdgeRouter_DS.pdf

Your link is what convinced me not to use the ER pro. the Pro's will only do <500 mbps at full capacity, its in the link you posted.

The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@dave247 said in Why I See UTMs As Generally Bad in the Current Market:

If you ARE supporting NGFW and opposing the use of UTMs, I will just say that my current SonicWall model is specifically listed as a NGFW (though you have argued with me in the past about it actually being a UTM). Also, the Sophos XG product that I originally posted about is also an NGFW. I assume you will respond by saying that they just stopped calling them UTMs and are now calling them NGFW, so if that's the case, can you provide some list of products or features that you would use to distinguish a UTM from a NGFW?

NGFW is deep packet inspection (high layers than the L3 and L4 of traditional shallow packet inspection firewalls), but not features like content filtering, anti-virus, IDS, etc.

I would put it as UTM is "general purpose applications running on a router as if it were a server." That's the key differentiation. To be a UTM, you have to treat your router hardware like basically a general purpose server running traditional server workloads (AV, Content Filtering, Proxy, IDS, etc.) on it.

ok, that helps clarify then. In my case, our current appliance is being used as both NGFW and UTM. The product we are looking at would be about the same, but do a better job in different areas.

Right, so basically these days, any good UTM will be based on NGFW as its starting point. SonicWall, Sophos, Palo Alto should all be NGFW + UTM.

The NGFW I'm fully in support of when it makes sense (which is decently often), but the UTM pieces I would much rather see elsewhere (if at all), meaning running on the server infrastructure.

(╯°□°)╯︵ ┻━┻

Same as we've always been saying. Firewall is not the place for the "UTM pieces". They are better elsewhere, when needed.

It's that they are rarely needed, but sometimes.
When they are needed, in the firewall isn't the best place for them.

It's not that the concepts are always bad, it's just how they are pushed way too often, and not in a good way to deploy them because it's not a good security practice to have them on the firewall.

how many NGFW products are on the market that do not come bundled with UTM?

@Donahue said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

@Donahue said in What Are You Doing Right Now:

I tried to talk someone out of the IPOD on

But they still bought it, right?

They had everything bought before they even started the thread. They don't know how they were going to setup the networking portion yet, but they still already bought the hardware, because you know, its magically redundant.

I've made the mistake of jumping the gun and buying hardware before I knew how I was going to use it all, and ended up having to try and make lemonade out of lemons, so I cant really cast the first stone.

I thought of a good analogy on the way into work this morning, about the difference between redundant compute nodes and redundant storage. In the classic IPOD scheme, the compute nodes are like cars and the the SAN is like the driver. All the value is in the driver and the car is just a means to an end. You can crash a car and replace it rather easily. In a pinch, just about any car would do. But if driver dies, there is no point to the car, so the driver is obviously the most important part of the equation. Obviously the analogy breaks down because you can't have redundant persons IRL, but you get the point.

@DustinB3403 said in What Are You Doing Right Now:

@Donahue said in What Are You Doing Right Now:

I tried to talk someone out of the IPOD on

But they still bought it, right?

They had everything bought before they even started the thread. They don't know how they were going to setup the networking portion yet, but they still already bought the hardware, because you know, its magically redundant.

I've made the mistake of jumping the gun and buying hardware before I knew how I was going to use it all, and ended up having to try and make lemonade out of lemons, so I cant really cast the first stone.

I tried to talk someone out of the IPOD on

@StuartJordan said in Why I See UTMs As Generally Bad in the Current Market:

An interesting topic, we could go on from this by recommending how to run the individual services correctly outside of the UTM device. IDS/IPS, DPI. Etc. That would be a good topic as well.

i agree

no, I am saying that I could see that someone wanted to separate out their devices so each could have its own separate DHCP scope. I am not saying that this was a good idea, or that I would do it, just that I can see how VLAN's could be used to achieve that effect. Again, I am not saying this would be using VLANs correctly

haha

@scottalanmiller said in So I built: Pi-hole:

@Donahue said in So I built: Pi-hole:

I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

Filtering TYPES of things requires deep packet inspection. Totally different kind of thing and use case.

right, this seems more like a web filter, which is still nice to have from time to time. But I would agree that web filters are more like a bandaid for HR issues. I say that also having mine turned on with my Fortigates.

@scottalanmiller said in Are VLANs Appropriate Here:

@Donahue said in Are VLANs Appropriate Here:

is this just a DHCP scope thing?

Right, DHCP is affected, but not security.

I can see the argument of having two different DHCP scopes, one for wired and one for wireless. I cannot comment on if that is the best choice though, just that it makes sense.

I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.