Firewalls, the good, the bad, and the ugly.
-
@bigbear, no worries, I understood what you were trying to say. I just wanted to clarify why I was asking. The only firewalls that we've spoken about here that I haven't had experience with are the ubiquities, and honestly, I hadn't even heard of them until this conversation. But that's precisely why I wanted to have this conversation. I wanted to hear what I didn't know, and I did.
In regards to PAs, there were a few features I really liked when I used them. 1) The applications. I loved how the PAs could detect if somebody was trying to pass traffic through a port that wasn't what the port was opened for. No, I personally haven't seen that stop any huge threats, but it at least closed a theoretical gap in firewall logic for me, that I may open up certain ports on the firewalls, but I have no guarantee that what I'm opening them for is what they will be used for. And 2) The stats page is really quite impressive. I love that I can see what traffic is going to china, etc. This type of information, if regularly monitored, could easily help identify traffic that is out of the norm. No, it isn't the only place you could get that type information, but we didn't have anything else set up for that, so for us it was. And 3) The config audit is very nice. I love being able to look back in the config to find who changed a certain setting and when. It's always been a pet peeve of mine when I know I didn't change something on the firewall, and I don't know who to ask about it. And sometimes, everyone denies it anyway. It's great to be able to pin down a change to a person and a time. It really makes the firewall audits required by PCI a lot easier too. If nothing has changed, you can prove it, and you don't have to look through every single setting, just in case. Or if only one setting was changed, you can see that, and then you are done. It made auditing easy.
I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features. My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit.
The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best. -
@bj said in Firewalls, the good, the bad, and the ugly.:
I don't know how the Ubiquities do on those features, but I know the SW certainly don't do well on those features.
Ubiquities are firewalls, not UTMs, they are not supposed to have those features.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
My last job had the duty of auditing firewalls, and I had to audit both PAs and SWs... I hated auditing the SWs, but the PAs were really quite easy to audit.
The SWs didn't even have a human readable config. I found some tools to make the config quasi readable... but even then, it was difficult to read at best.Ubiquiti runs EdgeOS which was forked from Vyatta which is the Brocade code base. I've always found the Vyatta family configs (Vyatta, EdgeOS and VyOS) pretty easy to read.
-
@bj you need to figure out what you want. You are talking about complete opposite ends of the spectrum (PA and SW UTM) and actually asked about something (firewalls) completely not what you are talking about.
You asked for firewall information. You were given some.
But you are repeatedly ignoring everything said and talking about UTM devices. UTM devices are not firewalls. They are UTM devices. Yes, a UTM device includes a firewall as part of the over all device, but it is only there as part of the UTM. It is not designed to stand on its own as a FW (though it can of course).
On top of talking about something other than what you asked about, you are also talking about things on two completely opposite ends of the spectrum. More than one person here has clearly told you that PA devices are awesome, but belong in a very small market.
What they are nicely saying is that if you have to ask the question, then you don't need the damned thing.Now if you really do need a PA, then you should not even be considering a SW. They absolutely cannot come close to the quality and features of a PA.
Finally, if you want to talk about UTM solutions instead of firewalls, then retitle your post or make a new one.
-
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
-
@bj said in Firewalls, the good, the bad, and the ugly.:
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
Summary:
For Firewalls: Ubiquiti for nearly all use cases.
For UTMs: Palo Alto for nearly all use cases. -
Agreed. Thanks.
-
@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:
@bj said in Firewalls, the good, the bad, and the ugly.:
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
Summary:
For Firewalls: Ubiquiti for nearly all use cases.
For UTMs: Palo Alto for nearly all use cases.Speaking of, the new client I am going to do an analysis for this week has PA gear.
-
@JaredBusch said in Firewalls, the good, the bad, and the ugly.:
@scottalanmiller said in Firewalls, the good, the bad, and the ugly.:
@bj said in Firewalls, the good, the bad, and the ugly.:
Thanks @JaredBusch for your concern. I think I've got what I came here for. And no, I'm not ignoring you, or anyone else.
All the best.
Summary:
For Firewalls: Ubiquiti for nearly all use cases.
For UTMs: Palo Alto for nearly all use cases.Speaking of, the new client I am going to do an analysis for this week has PA gear.
nice
-
I'm working on switching away from Cisco ASAs to Juniper SRXs. I was actually surprised by how inexpensive the Junipers were relative to Cisco. JunOS is proprietary, but it is very readable, and they learned a lot from seeing how IOS does things poorly (oh how I love rollback 0). It is based on FreeBSD.
-
@Kelly said in Firewalls, the good, the bad, and the ugly.:
I'm working on switching away from Cisco ASAs to Juniper SRXs. I was actually surprised by how inexpensive the Junipers were relative to Cisco. JunOS is proprietary, but it is very readable, and they learned a lot from seeing how IOS does things poorly (oh how I love rollback 0). It is based on FreeBSD.
That would be interesting. Its an actual firewall and not an ISR?
-
@bigbear said in Firewalls, the good, the bad, and the ugly.:
@Kelly said in Firewalls, the good, the bad, and the ugly.:
I'm working on switching away from Cisco ASAs to Juniper SRXs. I was actually surprised by how inexpensive the Junipers were relative to Cisco. JunOS is proprietary, but it is very readable, and they learned a lot from seeing how IOS does things poorly (oh how I love rollback 0). It is based on FreeBSD.
That would be interesting. Its an actual firewall and not an ISR?
Isn't ISR only related to Cisco licensing?
-
@scottalanmiller In my world ISR would bring Adtran to mind. Also 3com/US Robotics before HP bought them up.
I think Cisco was about a decade late to abusing that terminology. Because what they call Integrated Service Router really isn't anything an ISP would be interested in using as a CPE.
-
@bigbear said in Firewalls, the good, the bad, and the ugly.:
@scottalanmiller In my world ISR would bring Adtran to mind. Also 3com/US Robotics before HP bought them up.
I think Cisco was about a decade late to abusing that terminology. Because what they call Integrated Service Router really isn't anything an ISP would be interested in using as a CPE.
By your definition I think it would be an ISR.
-
@Kelly I think of an ISR as something the ISP provides as part of the service.
I found one of the units you were describing on Amazon for $383, most seem to be closer to $1,000
It's interesting that juniper has any interest at all in that market. It looks like something an IT guy would buy versus a CPE.
-
@JaredBusch said in Firewalls, the good, the bad, and the ugly.:
Specific customization can only be done by creating a special text file and putting it in a specific location.
There's your shot to start with Ansible
-
we have got nethsecurity in our company and then we have switched to watchguard. watchguard is way more aexpensive than what you can expect from such a thing ( just discovered later).
NethSecurity. Unfortunately our NS reseller policy was: we own the firewall/UTM password, not you. When I've been hired we had an internal briefing and company choosen to "fire" the NS supplier.
New supplier, new distribution channel, new UTM. Watchguard setup is quite convoluted: you have to jump among a number of GUIs to setup properly something. Also layer filtering is not really well separated - at least to me: you have a chaos of layer 3+ setup.
-
I run an ERL at home and I recommend them too for other SMB/home use. They just work, work well, and are very affordable.
-
@bigbear said in Firewalls, the good, the bad, and the ugly.:
@Kelly I think of an ISR as something the ISP provides as part of the service.
I found one of the units you were describing on Amazon for $383, most seem to be closer to $1,000
It's interesting that juniper has any interest at all in that market. It looks like something an IT guy would buy versus a CPE.
I understand you now. Comcast did install a Juniper router for their gear when they brought in fiber. That said, I do (mostly) like these. They need some work on their documentation, but the CLI is a dream compared to IOS.
-
@Tim_G Give me a Sonicwall device and I will take it to my gun range for target practice. That's all they are good for. ESPECIALLY after Dell bought them. Sonicwall is awful. Nothing but issues.
