UniFi Home Lab vs Campus

scottalanmiller

@markferron said in UniFi Home Lab vs Campus:

Meraki isn't business grade, it's a joke. But the cost is nearly that of real security gear, like the Palo Alto. If Meraki is "good enough", you don't need Meraki at all.

You know, after thinking about this, I'm starting to think that Palo Alto might even be overkill for what we need.

LOL, um, yeah. Unless you are a financial institution, military, etc. you don't need Palo Alto. No one in the education, non-profit, SMB, or normal business spaces needs it. It's the most extreme high end.

scottalanmiller

@markferron said in UniFi Home Lab vs Campus:

Although you could easily make the argument that someone could just buy a VPN for less then a Netflix subscription so it almost makes filtering pointless.

Pretty much any good VPN is free. You "never" pay for a VPN, that should be a huge red flag. I don't know of any acceptable VPN that isn't free. OpenVPN, IPSec, Ubiquiti style, ZeroTier... all free.

dafyre

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

DustinB3403

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

Markferron

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

Tiny, private school

scottalanmiller

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

Good point. Net neutrality and all that.

scottalanmiller

@markferron said in UniFi Home Lab vs Campus:

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

Tiny, private school

Doesn't mean that they shouldn't be "as good or better" than public schools.

coliver

We have a SentinelIPS in place. It's a blackbox that just "works"...

dafyre

We have filtering here, but it's pretty much wide open except for a few specific things.

We do have some mighty loose traffic shaping happening here at my current job.

coliver

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

That is... for the most part correct. We don't really do any filtering outside of known malicious sites.

DustinB3403

@scottalanmiller said in UniFi Home Lab vs Campus:

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

Good point. Net neutrality and all that.

Yea at the time I didn't think anything about it, this was ~2005 so it very well could've been. . . I think it was more tied to state law about the use of taxpayer money for college and some odd set of rules.

DustinB3403

@coliver said in UniFi Home Lab vs Campus:

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

That is... for the most part correct. We don't really do any filtering outside of known malicious sites.

Legal use simply put, wasn't blocked. Malicious content (virus etc) was of course.

scottalanmiller

@dustinb3403 said in UniFi Home Lab vs Campus:

@coliver said in UniFi Home Lab vs Campus:

@dustinb3403 said in UniFi Home Lab vs Campus:

@dafyre said in UniFi Home Lab vs Campus:

I do think that on a college campus, at minimum, Layer 7 (Application) filtering is necessary to keep students from using all the bandwidth for torrents instead of legitimate educational things... Like Netflix, Youtube, and Online Gaming.

In SUNY schools in NY they legally weren't (may still be in effect) allowed to limit what the students use the internet for. Being paid for by tax dollars and all. . .

That is... for the most part correct. We don't really do any filtering outside of known malicious sites.

Legal use simply put, wasn't blocked. Malicious content (virus etc) was of course.

Right, there is a simply line there.

DustinB3403

The big reason I remember this as "being the way things were" was a buddy who lived at the on-campus SUNY dorms got a letter asking his flat to stop downloading so much and some laws about it. Simply asked that "they" reduce their usage, but that they couldn't actually do anything legally to stop him.

That is until his dorm-mate started torrenting movies. . .

Then they stepped in.

dafyre

@dustinb3403 said in UniFi Home Lab vs Campus:

The big reason I remember this as "being the way things were" was a buddy who lived at the on-campus SUNY dorms got a letter asking his flat to stop downloading so much and some laws about it. Simply asked that "they" reduce their usage, but that they couldn't actually do anything legally to stop him.

That is until his dorm-mate started torrenting movies. . .

Then they stepped in.

Yepp. We get 3 or 4 notices a week with DCMAs and threats of legal actions if we don't stop the devices from downloading illegal movies.... Networking guys step in and educate user before allowing their devices back online.

StorageNinja

@markferron said in UniFi Home Lab vs Campus:

@dustinb3403 Awesome, thank you very much. Our current security gateway, Meraki MX400, was going to be changed out but the costs of license renewal is far cheaper than purchasing the Palo Alto I was looking at , bummer.

You looked at running PA in a VM? It's a lot cheaper.

scottalanmiller

@storageninja said in UniFi Home Lab vs Campus:

@markferron said in UniFi Home Lab vs Campus:

@dustinb3403 Awesome, thank you very much. Our current security gateway, Meraki MX400, was going to be changed out but the costs of license renewal is far cheaper than purchasing the Palo Alto I was looking at , bummer.

You looked at running PA in a VM? It's a lot cheaper.

Also a much better design! Enterprise security, rather than UTM.

Markferron

You looked at running PA in a VM? It's a lot cheaper.

No I haven't! But I will now. Thanks.

scottalanmiller

@markferron said in UniFi Home Lab vs Campus:

You looked at running PA in a VM? It's a lot cheaper.

No I haven't! But I will now. Thanks.

This is essentially what @JaredBusch and I are always recommending. Sure, we might be a little more cautious about whether you need all this layer 7 stuff or not, is it really necessary. But neither of us is saying that it's a bad idea, the thing that we keep harping on as a ridiculous near-"scam" level problem is the UTM model of shoving all these services into the firewall where they do not belong because it is a risk and expensive and violates very basic best practices that have been around for forever. It's the Windows SBS model taken to networking.

dafyre

@scottalanmiller said in UniFi Home Lab vs Campus:

@markferron said in UniFi Home Lab vs Campus:

You looked at running PA in a VM? It's a lot cheaper.

No I haven't! But I will now. Thanks.

This is essentially what @JaredBusch and I are always recommending. Sure, we might be a little more cautious about whether you need all this layer 7 stuff or not, is it really necessary. But neither of us is saying that it's a bad idea, the thing that we keep harping on as a ridiculous near-"scam" level problem is the UTM model of shoving all these services into the firewall where they do not belong because it is a risk and expensive and violates very basic best practices that have been around for forever. It's the Windows SBS model taken to networking.

Would it be worth taking a look at running a UBNT Router and a separate device for Application Filtering?