3. Opinions on Firewalls

Opinions on Firewalls

I'm generally not a huge fan of UTM all-in-one solutions.

The majority of vendors that offer these admit that to run at good performance levels you need to disable most of that functionality (check the spec sheet).

IPS will screw you over. Use IDS as a separate solution (either SPAN or passive tap). That way it has no performance impact on the network.

With almost everything using HTTPS these days most web filters are completely ineffective. They also use largely out-of-date malware and AV signatures. You can do SSL Inspection but it requires you to install a fake root CA on each client for a usable Internet experience and introduces a larger security risk than the one you're trying to protect against.

DNS-based filtering is the way to go for most cases. It will catch HTTP and HTTPS without slowing down your network for the things you want to block. If you need strict control then setup a traditional web proxy and configure clients to point to it (avoid transparent).

I like the Cisco ASA because when I want a firewall I just want a firewall.

Juniper SRX has a really great CLI experience if you have to manage a lot of complicated policy but I hear people complain about stability and hardware failure a lot. This would likely be my choice if Cisco is too expensive.

Fortigate has impressive performance at the high end in terms of raw throughput so you see it used for a lot of data center filters and VPN terminators but the CLI is unusable so you pretty much need to be OK with using the GUI to manage it.

Palo Alto is more of an SMB solution in my mind. That may be unfair as I haven't taken a close look in 2+ years.

Check Point is always mentioned but I feel like they haven't innovated or improved much in 20 years. After looking at them a bit more they wouldn't make my short list.

I really can't think of any others that I'd consider.

At the end of the day I really think you're best bet is Cisco or Juniper if you avoid UTM. Fortigate or Palo Alto would be OK for SMB without dedicated security engineers on hand.

I still say most of the UTM functionality doesn't have a significant impact on your security posture though. People often think UTM is some silver bullet and neglect the basics.

/r/networking Thread
Previous
Next

Recently removed from /r/networking

How to keep 2 identical IP addresses on the same network and make it work (temporary) VLAN design/safety sanity check DMVPN Dual ISP Redundancy Vulnerability Scans & Outdated/Weak Ciphers for SSL/early TLS Versions - Is Disabling The Web Interface and Opting for SSH-only management the solution? I'm a software engineer at a major networking vendor. Is there an alternate to RDP (Remote Desktop) when simply needing to connect to a localhost via VPN Cisco 891 Networking | network-policy traffic shaping Troubleshooting tools for remote VPN Users I'm not sure if it's lack of terminology that's holding me back from finding any specifics but I'm unsure why I cannot ping a router through L3 Etherchannel. Good optical fiber and sFP transceiver type for DIY termination? Automation has spooked me and i feel sticking to technical line will make us less vulnerable. What's your opinion? Are there any side hustles being a network engineer? Do you constantly have to prove the networks innocents? Firepower rant How do you survive in networking if you are a colour blind?

More Random Comments

AITA for cancelling my son's upcoming 18th birthday party after he threw his halfsister's diapers in the pool? Choose the MPV #5 - Karasuno vs Shiratorizawa AITA for disinviting my late wife's children from my wedding? Question about making central storage with trains. GTA RP streamer Viviana goes on a racist rant. Update: health insurance coverage denied due to Naltrexone use Where in OKC do you think is the best place to live? My [F] coworker [F] shows up to work without a bra, is this appropriate? Scam(?) segunda vez que me acontece no espaço de um mês com praticamente tudo em comum( sexo, nacionalidade, procura guia português,alguém lhe deu o numero etc) Raising bilingual kids J'ai l'impression de toujours être le plus nul If you were a person with a great amount of power/influence, what would you do about the Andrew Tate problem ? This sub is ridiculous. If you can decide to go to war, you can decide who you want to... Biden aides find second batch of classified documents at new location My favorite and most used functional print. Always in my wallet and never a keychain in my pocket.