sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises. I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear. Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients). We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.) /kc -- Ken Chase - Guelph Canada
What PFSense currently lacks in brand name recognition, they can make up with by the fact that they offer paid support at very affordable levels. I'd go with https://store.pfsense.org/SG-2440/ ($499 each) and a quote for professional services ( https://store.pfsense.org/Professional-Services.aspx ) to back that up. On Thu, May 5, 2016 at 10:53 AM, Ken Chase <math@sizone.org> wrote:
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
If you are considering pfSense, I would urge you to look at OPNsense instead. The pfSense code is horrible! On 5/5/16 11:11 AM, amuse wrote:
What PFSense currently lacks in brand name recognition, they can make up with by the fact that they offer paid support at very affordable levels.
I'd go with https://store.pfsense.org/SG-2440/ ($499 each) and a quote for professional services ( https://store.pfsense.org/Professional-Services.aspx ) to back that up.
On Thu, May 5, 2016 at 10:53 AM, Ken Chase <math@sizone.org> wrote:
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
On 6/May/16 02:18, g@1337.io wrote:
If you are considering pfSense, I would urge you to look at OPNsense instead. The pfSense code is horrible!
Can you explain? We've been reasonably happy with it, running it since 2012 on dozens of boxes for our corporate network and as OpenVPN servers. Mark.
+1 to a "Can you substantiate that claim please?" sentiment here. I've used it for years and found it to be reliable, flexible, feature-filled. And having the BSD CLI fully available has been a godsend. On Fri, May 6, 2016 at 12:01 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:
On 6/May/16 02:18, g@1337.io wrote:
If you are considering pfSense, I would urge you to look at OPNsense instead. The pfSense code is horrible!
Can you explain?
We've been reasonably happy with it, running it since 2012 on dozens of boxes for our corporate network and as OpenVPN servers.
Mark.
amuse wrote:
+1 to a "Can you substantiate that claim please?" sentiment here. I've used it for years and found it to be reliable, flexible, feature-filled. And having the BSD CLI fully available has been a godsend.
The code quality is terrible in a 1990s sort of way. I.e. no separation of code, html, logic, data structure or anything else. Everything is jumbled in together using coding methodologies which don't scale and which make it almost impossible to audit in a meaningful way. Specific problems: 1. the installation image ships with static dh params files, e.g.
https://github.com/pfsense/pfsense/blob/master/src/etc/dh-parameters.1024
This is a really bad idea and someone should issue a CVE for it. The reasons are clearly explained at:
https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html
2. http params validation: a cursory glance at the output of "grep -r _GET pfsense/src" show that the authors did not use any http parameters validation. In addition, the output of $_GET is used unsafely in multiple locations. 3. the output of "grep -wr exec pfsense/src | grep 'rm -rf'" shows what looks like exploitable problems due to poor shell escaping. This isn't an audit or anything, btw. It's the result of a couple of minutes glancing over the code. I'm sure an audit would produce a lot more. Nick
I, too, was not impressed with PFSense’s code. I’ve had to dig into it a couple of times to troubleshoot weird failure modes. I finally gave up. My time is too valuable, and the price of modern firewalls is fair for the value you get in serious regression testing and support. Also, I would not characterize PFSense as “reliable”. My PFsense boxes still require periodic reboots due to memory leaks, and sometimes just lock up. Yes, that happens with commercial boxen, but those events are far more rare. -mel
On May 6, 2016, at 9:24 AM, Nick Hilliard <nick@foobar.org> wrote:
amuse wrote:
+1 to a "Can you substantiate that claim please?" sentiment here. I've used it for years and found it to be reliable, flexible, feature-filled. And having the BSD CLI fully available has been a godsend.
The code quality is terrible in a 1990s sort of way. I.e. no separation of code, html, logic, data structure or anything else. Everything is jumbled in together using coding methodologies which don't scale and which make it almost impossible to audit in a meaningful way.
Specific problems:
1. the installation image ships with static dh params files, e.g.
https://github.com/pfsense/pfsense/blob/master/src/etc/dh-parameters.1024
This is a really bad idea and someone should issue a CVE for it. The reasons are clearly explained at:
https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html
2. http params validation: a cursory glance at the output of "grep -r _GET pfsense/src" show that the authors did not use any http parameters validation. In addition, the output of $_GET is used unsafely in multiple locations.
3. the output of "grep -wr exec pfsense/src | grep 'rm -rf'" shows what looks like exploitable problems due to poor shell escaping.
This isn't an audit or anything, btw. It's the result of a couple of minutes glancing over the code. I'm sure an audit would produce a lot more.
Nick
One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape? On Fri, May 6, 2016 at 9:39 AM, Mel Beckman <mel@beckman.org> wrote:
I, too, was not impressed with PFSense’s code. I’ve had to dig into it a couple of times to troubleshoot weird failure modes. I finally gave up. My time is too valuable, and the price of modern firewalls is fair for the value you get in serious regression testing and support.
Also, I would not characterize PFSense as “reliable”. My PFsense boxes still require periodic reboots due to memory leaks, and sometimes just lock up. Yes, that happens with commercial boxen, but those events are far more rare.
-mel
On May 6, 2016, at 9:24 AM, Nick Hilliard <nick@foobar.org> wrote:
amuse wrote:
+1 to a "Can you substantiate that claim please?" sentiment here. I've used it for years and found it to be reliable, flexible, feature-filled. And having the BSD CLI fully available has been a godsend.
The code quality is terrible in a 1990s sort of way. I.e. no separation of code, html, logic, data structure or anything else. Everything is jumbled in together using coding methodologies which don't scale and which make it almost impossible to audit in a meaningful way.
Specific problems:
1. the installation image ships with static dh params files, e.g.
https://github.com/pfsense/pfsense/blob/master/src/etc/dh-parameters.1024
This is a really bad idea and someone should issue a CVE for it. The reasons are clearly explained at:
https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html
2. http params validation: a cursory glance at the output of "grep -r _GET pfsense/src" show that the authors did not use any http parameters validation. In addition, the output of $_GET is used unsafely in multiple locations.
3. the output of "grep -wr exec pfsense/src | grep 'rm -rf'" shows what looks like exploitable problems due to poor shell escaping.
This isn't an audit or anything, btw. It's the result of a couple of minutes glancing over the code. I'm sure an audit would produce a lot more.
Nick
On 6/May/16 18:59, amuse wrote:
One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape?
A fair question. And I suppose one could say that if you are unhappy with the code, make a contribution to make it better. We have ran them for years, and while no system is without problems, for the amount of value you receive, I can't really complain. Mark.
amuse wrote:
One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape? Perhaps not. In fact, probably not, judging by the apparent lack of audit processes for say, OpenSSL libraries re-used in commercial products.
It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality. Aris
On 6/May/16 20:05, Aris Lambrianidis wrote:
It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality.
But the beauty is that with pfSense, you can do something about it, as someone knowledgeable in coding. Preferring a close source option because you can't see how potentially bad their code is is not a necessarily better position to be in. Mark.
On 6/May/16 20:05, Aris Lambrianidis wrote:
It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality.
But the beauty is that with pfSense, you can do something about it, as someone knowledgeable in coding. Preferring a closed source option because you can't see how potentially bad their code is is not a necessarily better position to be in. Mark.
The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in private source you may never know. In these cases I rely on the vendor’s public statements about their development processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run in-house security threat research groups that publish to the community. There are also outside certifications. For example, www.icsalabs.com<http://www.icsalabs.com> lists certifications by vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency or thoroughness of the test regimen. This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t require specific overall firewall certifications, they do require various specific standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory organization. -mel On May 6, 2016, at 11:05 AM, Aris Lambrianidis <effulgence@gmail.com<mailto:effulgence@gmail.com>> wrote: amuse wrote: One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape? Perhaps not. In fact, probably not, judging by the apparent lack of audit processes for say, OpenSSL libraries re-used in commercial products. It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality. Aris
I've been told by various PCI auditors that a noncommercial/FOSS firewall could pass as long as you have implemented the necessary controls such as encryption/logging/management and passing actual testing. -- Keith Stokes
On May 6, 2016, at 1:31 PM, Mel Beckman <mel@beckman.org> wrote:
The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in private source you may never know. In these cases I rely on the vendor’s public statements about their development processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run in-house security threat research groups that publish to the community.
There are also outside certifications. For example, www.icsalabs.com<http://www.icsalabs.com> lists certifications by vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency or thoroughness of the test regimen.
This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t require specific overall firewall certifications, they do require various specific standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory organization.
-mel
On May 6, 2016, at 11:05 AM, Aris Lambrianidis <effulgence@gmail.com<mailto:effulgence@gmail.com>> wrote:
amuse wrote: One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape? Perhaps not. In fact, probably not, judging by the apparent lack of audit processes for say, OpenSSL libraries re-used in commercial products.
It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality.
Aris
Don't forget ponying up the fees and charges for paying the auditors - which is why most OSS projects don't end up going through them. On Fri, May 6, 2016 at 11:41 AM, Keith Stokes <keiths@neilltech.com> wrote:
I've been told by various PCI auditors that a noncommercial/FOSS firewall could pass as long as you have implemented the necessary controls such as encryption/logging/management and passing actual testing.
--
Keith Stokes
On May 6, 2016, at 1:31 PM, Mel Beckman <mel@beckman.org> wrote:
The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in private source you may never know. In these cases I rely on the vendor’s public statements about their development processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run in-house security threat research groups that publish to the community.
There are also outside certifications. For example, www.icsalabs.com< http://www.icsalabs.com> lists certifications by vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency or thoroughness of the test regimen.
This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t require specific overall firewall certifications, they do require various specific standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory organization.
-mel
On May 6, 2016, at 11:05 AM, Aris Lambrianidis <effulgence@gmail.com <mailto:effulgence@gmail.com>> wrote:
amuse wrote: One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape? Perhaps not. In fact, probably not, judging by the apparent lack of audit processes for say, OpenSSL libraries re-used in commercial products.
It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality.
Aris
PCI certification at the business level isn’t about whether your firewall vendor has gone through an audit and paid someone. You can build your own firewall if you wish and it must meet all of the necessary requirements. So will a commercial firewall, because it’s certainly possible to configure anyone’s firewall in an insecure manner. In fact, my name brand expensive firewall automatically fails the regular security scans because it answers ISAKMP. When asked, and it took awhile to get the truth, the answer was “We automatically flag because ISAMKP can be configured insecurely, so we automatically flag.” Showing my config wasn’t insecure got me a green light. On May 6, 2016, at 1:45 PM, amuse <nanog-amuse@foofus.com<mailto:nanog-amuse@foofus.com>> wrote: Don't forget ponying up the fees and charges for paying the auditors - which is why most OSS projects don't end up going through them. On Fri, May 6, 2016 at 11:41 AM, Keith Stokes <keiths@neilltech.com<mailto:keiths@neilltech.com>> wrote: I've been told by various PCI auditors that a noncommercial/FOSS firewall could pass as long as you have implemented the necessary controls such as encryption/logging/management and passing actual testing. -- Keith Stokes
On May 6, 2016, at 1:31 PM, Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:
The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in private source you may never know. In these cases I rely on the vendor’s public statements about their development processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run in-house security threat research groups that publish to the community.
There are also outside certifications. For example, www.icsalabs.com<http://www.icsalabs.com/><http://www.icsalabs.com<http://www.icsalabs.com/>> lists certifications by vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency or thoroughness of the test regimen.
This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t require specific overall firewall certifications, they do require various specific standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory organization.
-mel
On May 6, 2016, at 11:05 AM, Aris Lambrianidis <effulgence@gmail.com<mailto:effulgence@gmail.com><mailto:effulgence@gmail.com<mailto:effulgence@gmail.com>>> wrote:
amuse wrote: One question I have is: Is there any reason to believe that the source code for Sonicwall, Cisco, etc are any better than the PFSense code? Or are we just able to see the PFSense code and make unfounded assumptions that the commercial code is in better shape? Perhaps not. In fact, probably not, judging by the apparent lack of audit processes for say, OpenSSL libraries re-used in commercial products.
It still doesn't detract from the value of what people are aware of, in this case, pfSense code quality.
Aris
--- Keith Stokes
Mel Beckman wrote:
The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in private source you may never know. In these cases I rely on the vendor’s public statements about their development processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run in-house security threat research groups that publish to the community.
There are also outside certifications. For example, www.icsalabs.com <http://www.icsalabs.com> lists certifications by vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency or thoroughness of the test regimen.
This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t require specific overall firewall certifications, they do require various specific standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory organization. It seems those certifications are not offering the assurance at least *some* people would expect from them, unless of course we're talking about feeding the paper pushing beast. This is a mere observation on my part, principally I'm not against them, but I seriously doubt bad coding practices happen only on non certified/audited code, so I find the question of value difficult to answer in a satisfactory manner.
Random germane example: http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-lib... Aris
But bug reports and response can be measured, at least by those with support contracts for the commercial products. I found PFSense less reliable by a quite large margin than commercial offerings. Plus when I have a problem, I can open a case and somebody else is working on it (because I paid them to), and they usually solve the problem without a lot more involvement on my part. I tried PFSense Premium Support once when it first launched, and they simply didn’t have their act together. Also, the cheapest PFSense support contract cost nearly as much as an entire commercial firewall including hardware and a year support! Maybe they’ve improved. I don’t have time to research it though, as the commercial products are quite reasonably priced and generally superior in features. I’ve also looked at the PFSense appliances for sale, and they are not remarkable (either in price or features). I think what store.pfsense.org<http://store.pfsense.org> demonstrates is that the commercial offerings are justified in what they charge, since it’s about equal to what PFSense hardware costs. Then there is the available skills problem. It’s much easier to find a Cisco, Dell, Juniper, or whatever-conversant tech than it is to find someone facile in PFSense. It’s a valiant effort, but to me the value differential just isn’t making sense for PFSense. -mel On May 6, 2016, at 11:50 AM, Aris Lambrianidis <effulgence@gmail.com<mailto:effulgence@gmail.com>> wrote: Mel Beckman wrote: The question of code quality is always a difficult one, since in FOSS it’s public and often found lacking, but in private source you may never know. In these cases I rely on the vendor’s public statements about their development processes and certifications (e.g., ICSA). Commercial products often disclose their development processes and even run in-house security threat research groups that publish to the community. There are also outside certifications. For example, www.icsalabs.com<http://www.icsalabs.com/> lists certifications by vendor for those that have passed their test regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be current. PFSense isn’t listed, and although it is theoretically vetted by many users, there is no guarantee of recency or thoroughness of the test regimen. This brings up the question of whether PFSense can meet regulatory requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t require specific overall firewall certifications, they do require various specific standards, such as encryption strength, logging, VPN timeouts, etc. I don’t know if PFsense meets these requirements, as they don’t say so on their site. Companies like Dell publish white papers on their compliance with each regulatory organization. It seems those certifications are not offering the assurance at least *some* people would expect from them, unless of course we're talking about feeding the paper pushing beast. This is a mere observation on my part, principally I'm not against them, but I seriously doubt bad coding practices happen only on non certified/audited code, so I find the question of value difficult to answer in a satisfactory manner. Random germane example: http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-lib... Aris
Mel Beckman wrote:
But bug reports and response can be measured, at least by those with support contracts for the commercial products. I found PFSense less reliable by a quite large margin than commercial offerings. Plus when I have a problem, I can open a case and somebody else is working on it (because I paid them to), and they usually solve the problem without a lot more involvement on my part. Valid points, my intention was to share my thoughts on certification and audit processes in general, and I guess in the process derail the thread a bit.
Back to pfSense, arguably the point you raise is even stronger than the "bad coding practices" one. I might even say I personally don't care much about coding practices as I care about support services being prompt and effective. The latter *may* actually lead to good coding practices, but not the other way around. Aris
I've been very happy with the 2.3 release. Modularizing everything and the new bootstrap GUI is very nice. Updated BSD code base is a godsend. On May 6, 2016 2:36 PM, "Aris Lambrianidis" <effulgence@gmail.com> wrote:
Mel Beckman wrote:
But bug reports and response can be measured, at least by those with support contracts for the commercial products. I found PFSense less reliable by a quite large margin than commercial offerings. Plus when I have a problem, I can open a case and somebody else is working on it (because I paid them to), and they usually solve the problem without a lot more involvement on my part.
Valid points, my intention was to share my thoughts on certification and audit processes in general, and I guess in the process derail the thread a bit.
Back to pfSense, arguably the point you raise is even stronger than the "bad coding practices" one. I might even say I personally don't care much about coding practices as I care about support services being prompt and effective. The latter *may* actually lead to good coding practices, but not the other way around.
Aris
On 6/May/16 21:40, Josh Reynolds wrote:
I've been very happy with the 2.3 release. Modularizing everything and the new bootstrap GUI is very nice. Updated BSD code base is a godsend.
I was just about to ask the experienced coders whether the new GUI in 2.3 fixes a lot of problems of the past... And yes, 2.3 is running FreeBSD 10.3. Mark.
Fri, May 06, 2016 at 09:51:15PM +0200, Mark Tinka wrote:
On 6/May/16 21:40, Josh Reynolds wrote:
I've been very happy with the 2.3 release. Modularizing everything and the new bootstrap GUI is very nice. Updated BSD code base is a godsend.
I was just about to ask the experienced coders whether the new GUI in 2.3 fixes a lot of problems of the past...
And yes, 2.3 is running FreeBSD 10.3.
Just use FreeBSD without pfSense stuff -- it is easier ;)) Modulo the absence of the network-based installation for FreeBSD via PXE [1] out of the box (well, it is doable, but I'd prefer to have an easier way and Linuxen have that), so large-scale stuff is a bit tough. Was discussed several times in FBSD lists, big players have their own homegrown stuff from the early days of the universe, others are either not doing that or relying on the existing recipes. And there are not sufficient others of the big $SCALE :( <ohh-well mode> [1] Something I'm trying to find the time for the past 5-6 years, should finally do that. </ohh-well mode> -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute" Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
+1 for mikrotik, been solid cpe for ages. I know a lot of msps using fortigates also. On May 8, 2016 11:43 AM, "Eygene Ryabinkin" <rea+nanog@grid.kiae.ru> wrote:
On 6/May/16 21:40, Josh Reynolds wrote:
I've been very happy with the 2.3 release. Modularizing everything and
Fri, May 06, 2016 at 09:51:15PM +0200, Mark Tinka wrote: the
new bootstrap GUI is very nice. Updated BSD code base is a godsend.
I was just about to ask the experienced coders whether the new GUI in 2.3 fixes a lot of problems of the past...
And yes, 2.3 is running FreeBSD 10.3.
Just use FreeBSD without pfSense stuff -- it is easier ;)) Modulo the absence of the network-based installation for FreeBSD via PXE [1] out of the box (well, it is doable, but I'd prefer to have an easier way and Linuxen have that), so large-scale stuff is a bit tough. Was discussed several times in FBSD lists, big players have their own homegrown stuff from the early days of the universe, others are either not doing that or relying on the existing recipes. And there are not sufficient others of the big $SCALE :(
<ohh-well mode> [1] Something I'm trying to find the time for the past 5-6 years, should finally do that. </ohh-well mode> -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute"
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
We deploy SonicWALL TZ300 or SOHO using Dell's Security as a Service. That way our monthly cost per customer is under $50 and includes all security services plus GMS centralized management. Works great with our VOIP service. Regards, Ray Orsini – CEO Orsini IT, LLC – Technology Consultants VOICE DATA BANDWIDTH SECURITY SUPPORT P: 305.967.6756 x1009 E: ray@orsiniit.com TF: 844.OIT.VOIP 7900 NW 155th Street, Suite 103, Miami Lakes, FL 33016 http://www.orsiniit.com | View My Calendar | View/Pay Your Invoices | View Your Tickets -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 5, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises. I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear. Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients). We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.) /kc -- Ken Chase - Guelph Canada
We use Calix gigacenter 844E. It will do everything you listed (and a whole lot more) except the VPN part. -Sean On Thursday, May 5, 2016, Ken Chase <math@sizone.org> wrote:
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform. Worth looking at, if you haven't already. If you want to private message me, happy to give more info. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises. I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear. Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients). We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.) /kc -- Ken Chase - Guelph Canada
I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs). Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they’re Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow. -mel
On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> wrote:
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform.
Worth looking at, if you haven't already. If you want to private message me, happy to give more info.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook Sonicwall and FortiGate. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -----Original Message----- From: Mel Beckman [mailto:mel@beckman.org] Sent: Thursday, May 05, 2016 2:49 PM To: Nick Ellermann <nellermann@broadaspect.com> Cc: Ken Chase <math@sizone.org>; nanog@nanog.org Subject: Re: sub $500-750 CPE firewall for voip-centric application I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs). Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they're Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow. -mel
On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> wrote:
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform.
Worth looking at, if you haven't already. If you want to private message me, happy to give more info.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> wrote:
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer
I'm a huge fan of Juniper's SRX line. I use all the features you point out at home on my SRX210, although that product is end-of-life. A refurbished SRX220 lists on Amazon for about $375, and a new one for $700. Naturally support is extra, but I'm not sure how much. I haven't used it myself but I have seen the packet capture in action. It'll save any traffic you want right out to a pcap file too. I also like "show security flow session" - shows you the source, destination, ports, how long a session has been going, and number of packets and number of bytes transferred. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 http://www.mtu.edu/ http://www.it.mtu.edu/ -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Ellermann Sent: Thursday, May 5, 2016 2:51 PM To: Mel Beckman <mel@beckman.org> Cc: nanog@nanog.org Subject: RE: sub $500-750 CPE firewall for voip-centric application Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook Sonicwall and FortiGate. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -----Original Message----- From: Mel Beckman [mailto:mel@beckman.org] Sent: Thursday, May 05, 2016 2:49 PM To: Nick Ellermann <nellermann@broadaspect.com> Cc: Ken Chase <math@sizone.org>; nanog@nanog.org Subject: Re: sub $500-750 CPE firewall for voip-centric application I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs). Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they're Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow. -mel platform.
Worth looking at, if you haven't already. If you want to private message
me, happy to give more info.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can
start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however,
wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range
forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
I should mention that both SonicWall and Fortigate have superb packet capture engines. Not only can you do capture view and first-level decode right in the web GUI, you can save captures in PCAP format or pipe the capture stream to an available Ethernet port. Both have extensive filtering for both capture and viewing within capture, and decent-sized capture buffers. -mel
On May 5, 2016, at 12:09 PM, Matt Freitag <mlfreita@mtu.edu> wrote:
I'm a huge fan of Juniper's SRX line. I use all the features you point out at home on my SRX210, although that product is end-of-life. A refurbished SRX220 lists on Amazon for about $375, and a new one for $700. Naturally support is extra, but I'm not sure how much.
I haven't used it myself but I have seen the packet capture in action. It'll save any traffic you want right out to a pcap file too. I also like "show security flow session" - shows you the source, destination, ports, how long a session has been going, and number of packets and number of bytes transferred.
Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 http://www.mtu.edu/ http://www.it.mtu.edu/
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Ellermann Sent: Thursday, May 5, 2016 2:51 PM To: Mel Beckman <mel@beckman.org> Cc: nanog@nanog.org Subject: RE: sub $500-750 CPE firewall for voip-centric application
Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook Sonicwall and FortiGate.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: Mel Beckman [mailto:mel@beckman.org] Sent: Thursday, May 05, 2016 2:49 PM To: Nick Ellermann <nellermann@broadaspect.com> Cc: Ken Chase <math@sizone.org>; nanog@nanog.org Subject: Re: sub $500-750 CPE firewall for voip-centric application
I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs).
Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they're Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow.
-mel
On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> wrote:
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform.
Worth looking at, if you haven't already. If you want to private message me, happy to give more info.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
Both the Juniper SRX, and the Mikrotik will work. The problem isn't firewalling, it's NAT. NAT is evil. Perhaps having enough IP Addresses would be a better solution? https://www.youtube.com/watch?v=v26BAlfWBm8 On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfreita@mtu.edu> wrote:
I'm a huge fan of Juniper's SRX line. I use all the features you point out at home on my SRX210, although that product is end-of-life. A refurbished SRX220 lists on Amazon for about $375, and a new one for $700. Naturally support is extra, but I'm not sure how much.
I haven't used it myself but I have seen the packet capture in action. It'll save any traffic you want right out to a pcap file too. I also like "show security flow session" - shows you the source, destination, ports, how long a session has been going, and number of packets and number of bytes transferred.
Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 http://www.mtu.edu/ http://www.it.mtu.edu/
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Ellermann Sent: Thursday, May 5, 2016 2:51 PM To: Mel Beckman <mel@beckman.org> Cc: nanog@nanog.org Subject: RE: sub $500-750 CPE firewall for voip-centric application
Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook Sonicwall and FortiGate.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: Mel Beckman [mailto:mel@beckman.org] Sent: Thursday, May 05, 2016 2:49 PM To: Nick Ellermann <nellermann@broadaspect.com> Cc: Ken Chase <math@sizone.org>; nanog@nanog.org Subject: Re: sub $500-750 CPE firewall for voip-centric application
I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs).
Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they're Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow.
-mel
On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> wrote:
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform.
Worth looking at, if you haven't already. If you want to private message me, happy to give more info.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across. I defaulted to turning it off based on my previous experiences with SIP ALGs and NAT however it became apparent that it actually worked really well and I ended up defaulting it to on. - Tim
On 6 May 2016, at 3:37 AM, Andrew Kirch <trelane@trelane.net> wrote:
Both the Juniper SRX, and the Mikrotik will work.
The problem isn't firewalling, it's NAT. NAT is evil.
Perhaps having enough IP Addresses would be a better solution? https://www.youtube.com/watch?v=v26BAlfWBm8
On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfreita@mtu.edu> wrote:
I'm a huge fan of Juniper's SRX line. I use all the features you point out at home on my SRX210, although that product is end-of-life. A refurbished SRX220 lists on Amazon for about $375, and a new one for $700. Naturally support is extra, but I'm not sure how much.
I haven't used it myself but I have seen the packet capture in action. It'll save any traffic you want right out to a pcap file too. I also like "show security flow session" - shows you the source, destination, ports, how long a session has been going, and number of packets and number of bytes transferred.
Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 http://www.mtu.edu/ http://www.it.mtu.edu/
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Ellermann Sent: Thursday, May 5, 2016 2:51 PM To: Mel Beckman <mel@beckman.org> Cc: nanog@nanog.org Subject: RE: sub $500-750 CPE firewall for voip-centric application
Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook Sonicwall and FortiGate.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: Mel Beckman [mailto:mel@beckman.org] Sent: Thursday, May 05, 2016 2:49 PM To: Nick Ellermann <nellermann@broadaspect.com> Cc: Ken Chase <math@sizone.org>; nanog@nanog.org Subject: Re: sub $500-750 CPE firewall for voip-centric application
I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs).
Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they're Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow.
-mel
On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann@broadaspect.com> wrote:
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform.
Worth looking at, if you haven't already. If you want to private message me, happy to give more info.
Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect
E: nellermann@broadaspect.com P: 703-297-4639 F: 703-996-4443
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
I'm a fan of the EdgeRouterLite3 I don't manage many small businesses networks anymore because we now do only 100% cloud and remote work but I started deploying them to all my old clients I still have on retainer. It is a wonderful solid set it, and forget it device and you can manage it with ssh (it is basically running a fork of Vyatta under the hood on Cavium hardware which is nice because it does lots of hardware offload like any other enterprise device.) I won't use pfsense anymore because it's project was taken over by a-holes, but that is just my personal experience. - Javier On Thu, May 5, 2016 at 1:53 PM, Ken Chase <math@sizone.org> wrote:
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
/kc -- Ken Chase - Guelph Canada
On May 5, 2016, at 4:52 PM, Javier J <javier@advancedmachines.us> wrote:
I'm a fan of the EdgeRouterLite3
I don't manage many small businesses networks anymore because we now do only 100% cloud and remote work but I started deploying them to all my old clients I still have on retainer.
It is a wonderful solid set it, and forget it device and you can manage it with ssh (it is basically running a fork of Vyatta under the hood on Cavium hardware which is nice because it does lots of hardware offload like any other enterprise device.)
I’ll +1 the Edgerouter series. They are cheap and hit the right price performance ratio for most homes. You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if necessary. If you are looking for more complex blocking rules and services, you need to be looking at something like the Deteque DNS service or the Cisco/OpenDNS services instead to nuke outbound malware connections and such. - Jared
On Thu, May 5, 2016 at 8:27 PM, Jared Mauch <jared@puck.nether.net> wrote:
On May 5, 2016, at 4:52 PM, Javier J <javier@advancedmachines.us> wrote:
I'm a fan of the EdgeRouterLite3
I don't manage many small businesses networks anymore because we now do only 100% cloud and remote work but I started deploying them to all my old clients I still have on retainer.
It is a wonderful solid set it, and forget it device and you can manage it with ssh (it is basically running a fork of Vyatta under the hood on Cavium hardware which is nice because it does lots of hardware offload like any other enterprise device.)
I’ll +1 the Edgerouter series. They are cheap and hit the right price performance ratio for most homes.
came here to say this, also they do v6, PD and all that jazz.
You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if necessary.
If you are looking for more complex blocking rules and services, you need to be looking at something like the Deteque DNS service or the Cisco/OpenDNS services instead to nuke outbound malware connections and such.
also agree whole-heartedly with this sentiment.y
Yeah, the EdgeRouter series do not suck. Fast, stable, easy to manage (although the broken tab completion drives me nuts ('sho ip route' should just work, I'm too old to retrain my fingers...) - other than that they are great... W On Thu, May 5, 2016 at 8:28 PM Jared Mauch <jared@puck.nether.net> wrote:
On May 5, 2016, at 4:52 PM, Javier J <javier@advancedmachines.us> wrote:
I'm a fan of the EdgeRouterLite3
I don't manage many small businesses networks anymore because we now do only 100% cloud and remote work but I started deploying them to all my old clients I still have on retainer.
It is a wonderful solid set it, and forget it device and you can manage it with ssh (it is basically running a fork of Vyatta under the hood on Cavium hardware which is nice because it does lots of hardware offload like any other enterprise device.)
I’ll +1 the Edgerouter series. They are cheap and hit the right price performance ratio for most homes.
You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if necessary.
If you are looking for more complex blocking rules and services, you need to be looking at something like the Deteque DNS service or the Cisco/OpenDNS services instead to nuke outbound malware connections and such.
- Jared
On 5/May/16 19:53, Ken Chase wrote:
Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.)
pfSense. Mark.
participants (21)
-
amuse
-
Andrew Kirch
-
Aris Lambrianidis
-
Christopher Morrow
-
Eygene Ryabinkin
-
g@1337.io
-
Greg Sowell
-
Jared Mauch
-
Javier J
-
Josh Reynolds
-
Keith Stokes
-
Ken Chase
-
Mark Tinka
-
Matt Freitag
-
Mel Beckman
-
Nick Ellermann
-
Nick Hilliard
-
Ray Orsini
-
Sean Heskett
-
Tim Raphael
-
Warren Kumari