Ubiquity Security appliance

CCWTech

Is there a such of thing as a Ubiquity Gateway security appliance?

I like the Meraki's but the more I look at Ubiquity the more I like them. Do they offer a security appliance or just routers?

scottalanmiller

@ccwtech said in Ubiquity Security appliance:

Is there a such of thing as a Ubiquity Gateway security appliance?

USG, yes. Someone was posting about it just today.

scottalanmiller

@ccwtech said in Ubiquity Security appliance:

I like the Meraki's but the more I look at Ubiquity the more I like them. Do they offer a security appliance or just routers?

Define security appliance. All routers on the market since the 1990s are firewalls. It's an extremely rare SMB that needs anything more than that. I'd never consider a Meraki today, the quality is below Ubiquiti, the price is higher, the "features" are negatives I don't want in a firewall.

scottalanmiller

The USG does not have any security features of which I am aware that their normal firewall does not have. Most of us stick to the EdgeRouter firewalls. The big difference is USG is managed via UniFi and the EdgeRouters via UNMS. The security appliance is marketed more at smaller companies, the EdgeRouters more at larger firms or those managed by MSPs.

CCWTech

@scottalanmiller Why wouldn't you want content filtering, antivirus at the gateway?

scottalanmiller

@ccwtech said in Ubiquity Security appliance:

@scottalanmiller Why wouldn't you want content filtering, antivirus at the gateway?

Because....

1. It is an inappropriate place to put them. You'd never put all your server workloads on a single VM (like Windows SBS did), in a business, security is just as important as other workloads. So if you need those things, running on your firewall appliance is not a good place for them except for the rarest of cases.
2. AV on the gateway is mostly just a scam. It's a duplicate of AV you already have to have other places. It's not a terrible thing, but it comes at a decent hardware and software cost and unless you are running really serious gear (so nothing like Cisco, Meraki, or SonicWall... but rather like Palo Alto) you are really getting nothing, but paying a lot for it, it's all marketing hype.
3. Content filtering is almost universally bad. When you do want it, you want it light and simple like you get from Strongarm.io, Quad9, or PiHole. Essentially free and definitely not running on the firewall. There are really special times that you need really serious content filtering, when that happens, like with #2, it would not be run on the firewall and would need to be from a serious service. Normally this runs on dedicated servers. It basically is never needed by SMBs and not be normal businesses. It's very special case that you want to filter your Internet.
4. Like everything, it's a cost decision as well. What is the value of these services? If you aren't careful, they actually come out to be a negative (filtering things you need, slowing down the network, creating a false sense of security, making HR pretend that they don't have to do their job, encouraging employees to fool around more, making things less secure rather than more.) For a normal SMB, web filtering has a value approach zero, but a non-zero risk. Edge AV filtering has a value, but a very small one, and a smaller, but also non-zero risk. Given those numbers, and that risk, what's the actual business value of edge security in this manner to an average SMB... $2/mo? $5/mo? I don't know any systems that can do that stuff for anywhere near that price, and those that are only 10,000% that amount often have major performance or stability issues because of it.

scottalanmiller

@ccwtech said in Ubiquity Security appliance:

@scottalanmiller Why wouldn't you want content filtering, antivirus at the gateway?

To make it more of a thought experiment, due to how this is worded, try reversing it. The big assumption is left out of the question (that there is cost) so the original question is loaded... it sounds like you'd always want those things. More secure is better than less secure, right? Sure, all other things being equal. But, they are not.

So ask it the other way. Given the cost, risks, and overhead of content filtering and AV at the gateway, when would you want it?

How the question is asked totally changes how our minds react to it. There are good times for it, but it's in the 1-5% of the time category. Put a real number on it, and compare with alternatives, and present to a business person and see what they thing.

Example:

Meraki MX64 is $600 to purchase and something like another $500 for five years. It's $1100 - $1800 for five years. It's not very fast and often creates network bottlenecks, it's got some stability and support issues.

A Ubiquiti firewall is $95 and a service like Quad9 is free. Your network will be faster, easier to support. You still have AV on each machine, so there is no gap in AV coverage.

Even going with the cheapest price for the Meraki, you are looking at saving $1,000 between the two approaches. $95 vs. $1,100 is an insane difference in pricing - especially when many of us consider the cheaper of the two to be the superior product. And that's before we consider that the Ubiquiti likely has a longer lifespan, and zero costs after the five year point. The Meraki just keeps on costing you.

CCWTech

1. Ok

2. I have always had a different AV on the gateway that I run on the endpoints. Wouldn't that increase the likelihood of blocking a threat?

3. I have had users not be able to get to legitimate sites that were infected due to content filtering. An orthodontics website was infected and my users called to complain they couldn't reach it. I found out it was a legitimate block and saved them from even getting to the infected site. It looks like of those 3, strongarm.io would be a good choice.

4. That's why I am looking for other solutions (not just Meraki)

scottalanmiller

@ccwtech said in Ubiquity Security appliance:

2. I have always had a different AV on the gateway that I run on the endpoints. Wouldn't that increase the likelihood of blocking a threat?

Yes, it does. But it's a point of diminishing returns. AV on the gateway comes at great cost, whereas normal AV is cheap or free. Good, normal AV is blocking essentially all threats. Why, suddenly after decades of no one even considering AV at the gateway, are we now concerned with it when AV is less useful today than ever, and less important. Threats of viruses are pretty minor today, that's not a major attack vector like it was twenty years ago.

It seems like a generally odd place to suddenly spend huge amounts of money to protect against essentially nothing, when so many other, cheaper, more effective things would never get considered.

So the big $1,000 question is... how much dollar value is there in that additional layer of security?

scottalanmiller

@ccwtech said in Ubiquity Security appliance:

3. I have had users not be able to get to legitimate sites that were infected due to content filtering. An orthodontics website was infected and my users called to complain they couldn't reach it. I found out it was a legitimate block and saved them from even getting to the infected site. It looks like of those 3, strongarm.io would be a good choice.

Yes, that kind of protection is valuable (although less valuable than I think people think.) But it is best handled by something like Strongarm, not by a firewall. Firewall is just the wrong place for that kind of protection.

But it is also worth asking: how often does that kind of filtering actually protect us against a real threat? In your example, what if that site had not been blocked? You have two layers of AV products already, plus the protections of the operating system. Do you feel that all three were certainly about to be breached? If so, I think that that points to concerns about other parts of the network rather than showing the value in content filtering.

Content filtering adds more protection, and has value, but I'll enumerate why we don't put it on the firewall in a second. Just important here to note that just because it caught a threat, doesn't mean that the threat was worth catching. That's the same thing that I hear about edge AV often, people feel it is good because it catches things. But it gets to catch things first, so that doesn't really tell us that it caught something that wouldn't have been caught otherwise, just that it didn't let it slip through.

CCWTech

@scottalanmiller said in Ubiquity Security appliance:

@ccwtech said in Ubiquity Security appliance:

2. I have always had a different AV on the gateway that I run on the endpoints. Wouldn't that increase the likelihood of blocking a threat?

Yes, it does. But it's a point of diminishing returns. AV on the gateway comes at great cost, whereas normal AV is cheap or free. Good, normal AV is blocking essentially all threats. Why, suddenly after decades of no one even considering AV at the gateway, are we now concerned with it when AV is less useful today than ever, and less important. Threats of viruses are pretty minor today, that's not a major attack vector like it was twenty years ago.

It seems like a generally odd place to suddenly spend huge amounts of money to protect against essentially nothing, when so many other, cheaper, more effective things would never get considered.

So the big $1,000 question is... how much dollar value is there in that additional layer of security?

Makes sense. Given my size clients and the fact that the Ubiquity security gateway would be in the same controller as the Unifi AC Pro access points, I think I may look more into that.

CCWTech

@scottalanmiller said in Ubiquity Security appliance:

All routers on the market since the 1990s are firewalls. It's an extremely rare SMB that needs anything more than that. I'd never consider a Meraki today, the quality is below Ubiquiti, the price is higher, the "features" are negatives I don't want in a firewall.

Ok, in that case, why not just use the router that the ISP provides (vs. Ubiquity) for a small business?

scottalanmiller

The other point about content filtering is this...

Hosted (DNS) based content filtering is mechanism for protecting against things like site infection. It blocks the fastest, it has the lightest overhead (read: none). It's ideal for protecting against malware, site infection, accidentally going to the wrong site, etc. Hosted protection like Strongarm is for protecting against bad external actors.

Firewall or internally hosted content filtering via proxy is slower to update and is for controlling what sites your users can get to. The value to on premises filtering is that you can make it essentially impossible for your users to get around your security. Hosted DNS security can be bypassed relatively easily by a motivated internal actor. Things like meraki's filtering is really so that HR can exercise control over staff, not protect them. It's generally seen as an HR failing, where HR tries to get technology to do a job that only HR can really do. So proxy side filtering is protecting against a lack of internal control.

scottalanmiller

@ccwtech said in Ubiquity Security appliance:

Ok, in that case, why not just use the router that the ISP provides (vs. Ubiquity) for a small business?

Good question. Several reasons, I think.

1. Trust. I've never met an ISP router I would trust on my network. They are easily compromised and insecure. In many cases, they ship already compromised. I have no way to know if the ISP has installed backdoors and to whom they've granted access. It's not a trustable device, it's a rogue actor.
2. Performance and stability. ISP routers are generally garbage. Literally the cheapest crap they could get their hands on. They are rarely reliable.
3. Monitoring. I've never seen an ISP router with SNMP, but they might offer it. But that's the best you can hope for. How will you integrate it into your network monitoring and management infrastructure?
4. Management. Every router would be different and even a few minutes of lost time from trying to figure each one out would pay for replacing it.
5. Standardization. You know what to patch, where to get patches, how to get patches, that patches will work, and when patches are available for all devices at once, rather than one at a time.
6. Patching. Will an ISP router even get updates?
7. Features. While you don't want a UTM, there are important features that might be needed for a business firewall like VLAN support, QoS, ALGs, advanced firewall configuration, etc. Plus CLI, SSH, console and other access methods unlikely to be available.

black3dynamite

@scottalanmiller said in Ubiquity Security appliance:

@ccwtech said in Ubiquity Security appliance:

Ok, in that case, why not just use the router that the ISP provides (vs. Ubiquity) for a small business?

Good question. Several reasons, I think.

1. Trust. I've never met an ISP router I would trust on my network. They are easily compromised and insecure. In many cases, they ship already compromised. I have no way to know if the ISP has installed backdoors and to whom they've granted access. It's not a trustable device, it's a rogue actor.
2. Performance and stability. ISP routers are generally garbage. Literally the cheapest crap they could get their hands on. They are rarely reliable.
3. Monitoring. I've never seen an ISP router with SNMP, but they might offer it. But that's the best you can hope for. How will you integrate it into your network monitoring and management infrastructure?
4. Management. Every router would be different and even a few minutes of lost time from trying to figure each one out would pay for replacing it.
5. Standardization. You know what to patch, where to get patches, how to get patches, that patches will work, and when patches are available for all devices at once, rather than one at a time.
6. Patching. Will an ISP router even get updates?
7. Features. While you don't want a UTM, there are important features that might be needed for a business firewall like VLAN support, QoS, ALGs, advanced firewall configuration, etc. Plus CLI, SSH, console and other access methods unlikely to be available.

Flexibility. Switching ISPs is more easier.

scottalanmiller

@black3dynamite Excellent point, didn't think about that.

NashBrydges

@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

coliver

@nashbrydges said in Ubiquity Security appliance:

@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

NashBrydges

@coliver said in Ubiquity Security appliance:

@nashbrydges said in Ubiquity Security appliance:

@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

coliver

@nashbrydges said in Ubiquity Security appliance:

@coliver said in Ubiquity Security appliance:

@nashbrydges said in Ubiquity Security appliance:

@scottalanmiller has made it clear throughout Mangolassi that he's not generally a fan of UTMs but I have seen first-hand the benefits UTMs can bring to a small business (emphasis on "small"). I agree with all of his points but since I've been able to setup and manage UTMs that have actually prevented malware infections, even while using some of those DNS services, that tends to win me over pretty quickly.

I'll also agree with @scottalanmiller that it's a cost vs benefit analysis that you'll need to do.

For what it's worth, I tend to look at the type of activities and services running at a client's business and decide whether a UTM makes sense for them or not and go from there. And for performance vs cost, I've favored Sophos UTMs. For straight-up firewall, it's UBNT all the way, every time.

How do you know the local AV/Anti-malware wouldn't have resolved that issue? That's where I sit, UTMs are interesting and can be handy but are they that much better then just having a properly secured endpoint?

Local AV is great for scanning files and processes but does nothing to block access to a website. That is the effect I'm referring to. Blocking access to malicious sites. Preventing the downloading of an infected document/file is also a win. There's definite value in stopping the file from reaching the user if it is identified as malicious. Sure it might have been identified by the desktop AV, but if it hadn't, that additional buffer is beneficial.

Which could easily be done with things like Strongarm.io or PiHole. Some value in it sure, but does that value outweigh the massive cost of the appliance and support?