SMB firewall options

gjacobse

@zuphzuph said in SMB firewall options:

Untangle.

There was a time that I would have suggested UT,.. and I have used it at two Non Profits without any issues.

@scottalanmiller has pointed me at laying off the UT bus and point more towards they true FW and I have installed a UBNT ERLite at home now. I've not spent a lot of time with it,.. but when my exposure with it in the Client field, the ER and ERL line work well.

And as mentioned - OpenVPN is on nearly everything. Even the ER line.

JaredBusch

Untangle is fine if you want a massive AIO beast. I hate those though.

stacksofplates

@JaredBusch said in SMB firewall options:

go with EdgeMax as a baseline

EdgeRouter X?

zuphzuph

@JaredBusch said in SMB firewall options:

Untangle is fine if you want a massive AIO beast. I hate those though.

Just out of curiosity, why?

JaredBusch

@zuphzuph said in SMB firewall options:

@JaredBusch said in SMB firewall options:

Untangle is fine if you want a massive AIO beast. I hate those though.

Just out of curiosity, why?

AIO are just bad in general.

If you have 4 tasks that you need to do, separate them out unless there is a good benefit to keeping them AIO.

JaredBusch

@stacksofplates said in SMB firewall options:

@JaredBusch said in SMB firewall options:

go with EdgeMax as a baseline

EdgeRouter X?

I would never use an ER-X for an office with more than 5 or 6 users. The ER-X does not have the balls for it.

It is a great SOHO device.and handles that task well. For an office, I would always start with the ERL or ERPoE. Then move up to the ER-8 if needed.

stacksofplates

@JaredBusch said in SMB firewall options:

@stacksofplates said in SMB firewall options:

@JaredBusch said in SMB firewall options:

go with EdgeMax as a baseline

EdgeRouter X?

I would never use an ER-X for an office with more than 5 or 6 users. The ER-X does not have the balls for it.

It is a great SOHO device.and handles that task well. For an office, I would always start with the ERL or ERPoE. Then move up to the ER-8 if needed.

I misunderstood what you were saying. I thought you were staying a certain model of theirs but you just meant the line with EdgeMax.

wrx7m

@scottalanmiller said in SMB firewall options:

Only things I use anymore...

• Ubiquit for nearly everything.
• Sophos if they demand UTM but don't have the resources for the good stuff.
• Palo Alto if they really need edge security.

What would you consider "the good stuff" that you would use instead of Sophos UTM?

JaredBusch

@wrx7m said in SMB firewall options:

@scottalanmiller said in SMB firewall options:

Only things I use anymore...

• Ubiquit for nearly everything.
• Sophos if they demand UTM but don't have the resources for the good stuff.
• Palo Alto if they really need edge security.

What would you consider "the good stuff" that you would use instead of Sophos UTM?

Why do you mean? There are many pieces to an UTM.

The FOSS pieces are readily available individually.

Veet

I think, for ~20 users, most of what you've listed would work (Although, I'm not a big fan of Cisco, and Watchguard)

Apart from DNS services, I haven't used any Cloud based security service...

wrx7m

@JaredBusch said in SMB firewall options:

@wrx7m said in SMB firewall options:

@scottalanmiller said in SMB firewall options:

Only things I use anymore...

• Ubiquit for nearly everything.
• Sophos if they demand UTM but don't have the resources for the good stuff.
• Palo Alto if they really need edge security.

What would you consider "the good stuff" that you would use instead of Sophos UTM?

Why do you mean? There are many pieces to an UTM.

The FOSS pieces are readily available individually.

I understand that there are many pieces to a UTM. That is why I am asking what, specifically, SAM considers the good stuff? The good stuff could mean brand, technology type or both.

Jason

@wrx7m said in SMB firewall options:

I understand that there are many pieces to a UTM. That is why I am asking what, specifically, SAM considers the good stuff? The good stuff could mean brand, technology type or both.

Juniper, WatchGuard, Checkpoint are usually considered the top contenders in UTM market...

but be prepared say a Junpier SRX5600 base model starts at $30,000.

Some of the check point models start at $150,000.

Watchguard is on the lowerend and I think their most expensive unit is only $50,000.

Veet

@Jason said in SMB firewall options:

@wrx7m said in SMB firewall options:

I understand that there are many pieces to a UTM. That is why I am asking what, specifically, SAM considers the good stuff? The good stuff could mean brand, technology type or both.

Juniper, WatchGuard, Checkpoint are usually considered the top contenders in UTM market...

but be prepared say a Junpier SRX5600 base model starts at $30,000.

Some of the check point models start at $150,000.

Watchguard is on the lowerend and I think their most expensive unit is only $50,000.

I've used/deployed quite a few(This was years ago) Whatchguard appliances, and I really hated the interface and more so, the support .. Wouldn't rate them as "Top Contender" ... Checkpoint & Juniper - Yes ...But, these are for Enterprise level ...

For 20 users or so, I'd stick with an all-in-one box (UTM) ... Sophos, Sonicwall, pfsense ... all would work, just as well

Say, anyone heard of worked with Crossbeam, in the past ... ? I don't think the brand/company exists anymore ... but just wondering ..

scottalanmiller

@wrx7m said in SMB firewall options:

@JaredBusch said in SMB firewall options:

@wrx7m said in SMB firewall options:

@scottalanmiller said in SMB firewall options:

Only things I use anymore...

• Ubiquit for nearly everything.
• Sophos if they demand UTM but don't have the resources for the good stuff.
• Palo Alto if they really need edge security.

What would you consider "the good stuff" that you would use instead of Sophos UTM?

Why do you mean? There are many pieces to an UTM.

The FOSS pieces are readily available individually.

I understand that there are many pieces to a UTM. That is why I am asking what, specifically, SAM considers the good stuff? The good stuff could mean brand, technology type or both.

Sorry, been away. "Good stuff" was referring to Palo Alto there.

scottalanmiller

@Veet said in SMB firewall options:

For 20 users or so, I'd stick with an all-in-one box (UTM) ... Sophos, Sonicwall, pfsense ... all would work, just as well

We've had bad luck with SonicWall. Unrealible, breaks things, hard to manage. If you are considering SonicWall, get Sophos instead.

Jason

@Veet said in SMB firewall options:

For 20 users or so, I'd stick with an all-in-one box (UTM) ... Sophos, Sonicwall, pfsense ... all would work, just as well

Sonicwall is crap.

Pfsense is not really a UTM, it's a firewall sure you can add some packages to it but it doesn't perform that well as a UTM.

Jason

@scottalanmiller said in SMB firewall options:
and, technology type or both.

Sorry, been away. "Good stuff" was referring to Palo Alto there.

Palo Alto does not make true UTMs they are all considered firewalls. We have them and they are great but they aren't classified as UTMs.

This is what Palo Alto themselves say about UTMs

The only value proposition a UTM provides is to collapse the traditional (broken) network security infrastructure into a single box as a cost savings mechanism.

scottalanmiller

@Jason said in SMB firewall options:

@Veet said in SMB firewall options:

For 20 users or so, I'd stick with an all-in-one box (UTM) ... Sophos, Sonicwall, pfsense ... all would work, just as well

Sonicwall is crap.

Pfsense is not really a UTM, it's a firewall sure you can add some packages to it but it doesn't perform that well as a UTM.

And isn't meant to, it's meant to be a strong firewall / router. The thing that makes it so good is the incredible performance of the FreeBSD network stack and the pf firewall component of that. The other stuff is just random add-ons, generally not a good thing on a router.

scottalanmiller

@Jason said in SMB firewall options:

@scottalanmiller said in SMB firewall options:
and, technology type or both.

Sorry, been away. "Good stuff" was referring to Palo Alto there.

Palo Alto does not make true UTMs they are all considered firewalls. We have them and they are great but they aren't classified as UTMs.

This is what Palo Alto themselves say about UTMs

The only value proposition a UTM provides is to collapse the traditional (broken) network security infrastructure into a single box as a cost savings mechanism.

Partly why I like PA so much But they do more than a traditional firewall, less then a "full" UTM.

BRRABill

@scottalanmiller said

Partly why I like PA so much But they do more than a traditional firewall, less then a "full" UTM.

BTW, at MC you mentioned $10K as an entry point to PA.

We have the PA-200 and it was less than $3K.

And like $1.2K ongoing a year for subscriptions, support, etc..