Ubiquiti USG-PRO-4
-
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
-
@scottalanmiller said:
That baby does L3 routing at 4Gb/s wire speed. This is not a system that is playing around.
You're saying this USG-PRO-4 performs real good (that might be incorrect grammar)
-
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
Generally, nothing. UTM devices are mostly hype. Some really high end ones, like Palo Alto, are quite good. But they are incredibly costly to be able to do that. It requires a lot of special software and tons of blazing fast hardware to inspect a serious WAN connection in real time.
What UTM features are you seeking? On the fly malware detection is awesome, but I've never heard of it protecting someone. AV on individual machines is the normal approach.
-
@FATeknollogee said:
You're saying this USG-PRO-4 performs real good (that might be incorrect grammar)
Performs really well, yes.
Ubiquiti's claim to fame is their incredibly high throughput. Their $100 starter router is faster than a $3,000 Cisco while having more features. -
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
-
@scottalanmiller said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
Generally, nothing. UTM devices are mostly hype. Some really high end ones, like Palo Alto, are quite good. But they are incredibly costly to be able to do that. It requires a lot of special software and tons of blazing fast hardware to inspect a serious WAN connection in real time.
What UTM features are you seeking? On the fly malware detection is awesome, but I've never heard of it protecting someone. AV on individual machines is the normal approach.
Was just trying to feel the "temperature" of what folks are using.
Like you said, this box on the edge + AV (at the client) should be sufficient -
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
-
@FATeknollogee said:
Was just trying to feel the "temperature" of what folks are using.
AV on boxes is the big one. If you need web security then a "post firewall" web proxy and filter would be good, this could be Squid, Websense or something like that.
Email we have filtered by the email host, so those UTM features are unique to shops running email in house and not having external filtering which is not advised, even for people who need on premises email the filtering should be hosted.
Anyone who makes a good UTM will make an even better non-UTM where the firewall sites beyond it and it does additional inspection inside of the network. But pretty much my rule of thumb is... if you aren't putting in Palo Alto, don't waste your time. Most everything less than that is not worthwhile and will just add complications and cost without real benefit.
-
@FATeknollogee said:
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
Squid Proxy, Websense, DansGuardian. Run these on their own VM and you can tune them to meet your performance requirements, this is much harder when running a UTM as you are limited by the hardware and artificial vendor limitations.
-
@FATeknollogee said:
AV protection / Content filtering
Yup. AV at the firewall is definitely nice but nearly impossible to do well. It has to be so fast or else it causes a major problem. We've seen 100Mb/s lines drop to 5Mb/s from trying to use a UTM on it.
Content Filtering, which I often advise to very carefully consider if it is going to be actually valuable or not, is far better handled by a dedicated device. I've been doing web filtering since the mid-1990s as it was one of my foci when I studied for my Windows certs and we even ran it in house (meaning in MY HOUSE) and loved it. But you don't want it in a UTM, to do it well you need a lot of flexibility, tons of speed, total control and you will want to cache like crazy which is something UTMs cannot do well due to hardware limitations.
-
@coliver said:
@FATeknollogee said:
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
Squid Proxy, Websense, DansGuardian. Run these on their own VM and you can tune them to meet your performance requirements, this is much harder when running a UTM as you are limited by the hardware and artificial vendor limitations.
Add SSDs, aggressive caches, lots of memory and for less cost than a UTM you can accelerate a lot of the web content to GigE speeds, too!
-
I'm not sure about AV protection. You will catch most of that with a Squid Proxy/content filter, not sure how you would go about it without impacting the speed of traffic.
-
@scottalanmiller said:
@coliver said:
@FATeknollogee said:
@coliver said:
@FATeknollogee said:
For folks that use this as an "edge" device, what else do you have downstream for "UTM" (using this term loosely) or "protection"?
What features are you looking for? There are tons of options for website filtering and proxy services.
AV protection / Content filtering
Squid Proxy, Websense, DansGuardian. Run these on their own VM and you can tune them to meet your performance requirements, this is much harder when running a UTM as you are limited by the hardware and artificial vendor limitations.
Add SSDs, aggressive caches, lots of memory and for less cost than a UTM you can accelerate a lot of the web content to GigE speeds, too!
How much of that is disk sensitive? My guess is that the processor and memory would be doing 99% of the work. Or does it do a lookup to disk whenever a request comes in?
-
@coliver said:
I'm not sure about AV protection. You will catch most of that with a Squid Proxy/content filter, not sure how you would go about it without impacting the speed of traffic.
That's why UTMs can't really do it. You need incredibly CPU horsepower and enough RAM to never have to go to storage. Generally you need a lot of threads, fast CPU speeds and many GB of RAM. Most UTM are like 1GB, but realistically you need more like 4GB - 8GB.
-
@scottalanmiller said:
@coliver said:
I'm not sure about AV protection. You will catch most of that with a Squid Proxy/content filter, not sure how you would go about it without impacting the speed of traffic.
That's why UTMs can't really do it. You need incredibly CPU horsepower and enough RAM to never have to go to storage. Generally you need a lot of threads, fast CPU speeds and many GB of RAM. Most UTM are like 1GB, but realistically you need more like 4GB - 8GB.
Are there in-line virus scanners? Something you route traffic through and it does the work? I've never seen one outside of a UTM.
-
@coliver said:
Are there in-line virus scanners? Something you route traffic through and it does the work? I've never seen one outside of a UTM.
Pretty much all UTM makers make UTM for starter businesses and dedicated scanning for serious ones
Even Netgear makes UTM only for tiny companies and STM for larger ones. -
@scottalanmiller said:
@coliver said:
Are there in-line virus scanners? Something you route traffic through and it does the work? I've never seen one outside of a UTM.
Pretty much all UTM makers make UTM for starter businesses and dedicated scanning for serious ones
Even Netgear makes UTM only for tiny companies and STM for larger ones.Ah, ok. It looks like Netgear is getting out of that industry but cool none-the-less.
-
@coliver said:
Ah, ok. It looks like Netgear is getting out of that industry but cool none-the-less.
Pretty much every one is. It's kind of a scam business. Now that 20Mb/s and faster connections are standard, the ability to make a good UTM is pretty much unrealistic.
-
@coliver said:
@scottalanmiller said:
@coliver said:
I'm not sure about AV protection. You will catch most of that with a Squid Proxy/content filter, not sure how you would go about it without impacting the speed of traffic.
That's why UTMs can't really do it. You need incredibly CPU horsepower and enough RAM to never have to go to storage. Generally you need a lot of threads, fast CPU speeds and many GB of RAM. Most UTM are like 1GB, but realistically you need more like 4GB - 8GB.
Are there in-line virus scanners? Something you route traffic through and it does the work? I've never seen one outside of a UTM.
A proxy device would be this, I would assume. you can make it transparent by setting it as the default gateway for your network, and it is set to simply forward on all good things to the real edge device.
-
@Dashrender said:
@coliver said:
@scottalanmiller said:
@coliver said:
I'm not sure about AV protection. You will catch most of that with a Squid Proxy/content filter, not sure how you would go about it without impacting the speed of traffic.
That's why UTMs can't really do it. You need incredibly CPU horsepower and enough RAM to never have to go to storage. Generally you need a lot of threads, fast CPU speeds and many GB of RAM. Most UTM are like 1GB, but realistically you need more like 4GB - 8GB.
Are there in-line virus scanners? Something you route traffic through and it does the work? I've never seen one outside of a UTM.
A proxy device would be this, I would assume. you can make it transparent by setting it as the default gateway for your network, and it is set to simply forward on all good things to the real edge device.
Right, I just didn't think it could do inline virus scanning. I know it can do URL filtering.
