Page 1 of 2 12 Last
Results 1 to 25 of 28

  1. Post
    #1

    Replacing a Draytek Vigour for Fiber

    Hey Guys,

    My work recently got audited and have started looking at replacing their router.

    Boss wants dual WAN so we have two internet connections to one router for redundacy sake. I think this will be when we move into a new building so a router change is what we're after now.

    What do you recommend? I was looking at https://www.ubnt.com/unifi-routing/usg/ however, it doesn't support multi-endpoint site-to-site vpn for the same subnet, from the UI. It does support it, just have to **** around with JSON file.

    requirements:
    - VLAN tagging
    - VLAN
    - DHCP
    - Traffic monitoring
    - handle about 80 devices simultaneously using internet
    - VPN
    - Site-To-Site VPN
    any help and recommendations would be great

  2. Post
    #2
    What was the audit regarding? What's your budget like? What's your current throughput? How many VPN users? How many sites? Do you require SFP/SFP+? What's your internal switching like, do you need/support link aggregation (lacp)?

  3. Post
    #3
    Was gonna say pick up a 2nd hand fortigate or sonicwall off trademe - but there doesn't seem to be many. Same questions as analgia.

  4. Post
    #4
    Redundant... In one box.

    Anyway, you could do worse than an SRX (https://www.trademe.co.nz/computers/...1881983889.htm) but I would keep an eye out for an SRX345, they're quite capable and have a GUI so you don't even need a JNCIE hanging around to configure it. I bought a few recently as branch routers (in packet mode, not as stateful firewalls) and they're great. Dual PSU (might help with the redundancy) and support 8x copper and 8x SFP.

    I have recently deployed a couple of Fortigates, in particular the FVM64 (virtual firewall). They can be run in HA on the same (or separate) tin, perfom well in an office of 150 people with modest HW requirements and can do a raft of connectivity options, firewalling and VPN stuff. Not sure how much they cost, but are quite robust, surprisingly so. We run dual 1G links into each one, with site-to-site VPN, IDS/IPS, BGP etc all on there.

  5. Post
    #5
    Virtual firewall can never compete with the dedicated silicon (ASICs or Caviums). I once compared the (real) performance and it came out about $4 to $1 (you had to spend $4 on generic tin for $1 of specialized tin to get relevant performance). Pricing on the virtuals is not really any cheaper either.

  6. Post
    #6
    Depends what kind of performance you need, but yeah obviously a real ASIC would stop a VM when it comes to raw packet handling. Ours seems to be totally unworried by 15k active sessions and shitloads of SMB traffic - but I admin I don't know the prices, someone else bought them

    In the 1Gbit/s realm you're fine going virtual.

  7. Post
    #7
    Once you start doing more Layer 7 stuff, SSL decrypt, more VPN it starts to show. You see the same thing when you put ASIC/Cavium based platforms (Palo, Forti, Sonicwall) against generic x86 gear (Cisco, Checkpoint Sophos). It's pretty much why checkpoint are romping around saying SSL decrypt is bad, because their boxes cannot handle it.

  8. Post
    #8
    Agree - would love to see some real world numbers too. Undefineed needs to give us more info

  9. Post
    #9
    Our hosting providers won't touch advanced features on their virtualized firewalls because it kills performance (we wanted to do server SSL decrypt/reverse proxy). Before I left my old job I was look at the metrics on the virtual version of our firewalls, packet forwarding performance was insane, raw, soon as things got complex it nosedived. We also did a competitive break down on brand F virtual and that's where we got the 4:1 numbers.

    What I can tell you is a certain company was building a multi-CPU platform - x86, Cavium Octeon/MIPs, and ARM (the new cavium CPUs are ARM based) all in one box box, with slots for various CPU cards for DC deployments. Was pretty awesome looking.

  10. Post
    #10
    The virtual stuff is a significant cost saving, for stuff like FortiManager and FortiAnalyser it's a good option.

  11. Post
    #11
    I guess capex vs opex comes into it too. I'm lucky, our security team wanted to wazz their budget on it so I just sat back and let them buy whatever

  12. Post
    #12
    Analgia wrote:
    The virtual stuff is a significant cost saving, for stuff like FortiManager and FortiAnalyser it's a good option.
    Reporting and management are using Linux/x86 code, so yes virtualization is easy for those for any vendor. But fortimanager and fortianalyzer are not the actual firewall device. When you turn on VPNs (particular non-AES), Layer 7 inspection, and/or SSL decryption then you start to notice the lack of performance in the virtual versions.

  13. Post
    #13
    Ah crap - one of those weeks where the bossman wants results and you forget about a post you made on gp.

    We are a basic operation without much VPN/site to site requirements.

    We host an external application that is available to our clients.

    The site to site is requirement more for us to maintain the boxes in AWS and have it part of the domain (there is a local dc for them and in prem is just there for failover if required).

    We aren’t pumping too much data through the links - maybe around 30-50 go over the week.

    We do have DFS-R enabled which replicates on prem file server with an aws one too for redundancy.

    We have two /16 subnets per region. And there’s two regions so a total of 4 tunnels to be up. Two for syd and two for sin.

    Each tunnel is a static route and no bgp is used.

    I’m kinda n00b at this networking stuff but can learn.

    Edit:
    We ended up with an ER-4 but now I am experiencing shit internet when I establish VPN connections (whether 1 or 4 tunnels).

    I have a feeling it’s to do with the fact that the mtu for pppoe + VLAN adds up to 1500 while vti interfaces are configured to around 1372. Does this make a difference? We end up with shit https traffic to the point where it times out then you refresh the site and it works.

  14. Post
    #14
    How fast is your internet connection? I would be favouring something with full hardware acceleation like a FGT-60E over an EdgeRouter which only routes quickly

  15. Post
    #15
    Technically speaking (AFAIK) a fortigate doesn't have full hardware acceleration, they use an x86 core CPU with an ASIC. It offloads hardware acceleration like the ER does, and in some cases will fall back to non-hardware accelerated processing. See here: https://docs.fortinet.com/d/fortigat...on-60/download

    I believe the ERs use the Cavium Nitrox and Octeon processors for acceleration (which aren't bad at all). So acceleration is probably limited by a mixed architecture and the software itself. The Octeon is not an ASIC, but a full MIPS64 based CPU with hardware accelerated functions.

    Now guess what product uses purely Octeon CPUs for fulltime hardware acceleration

  16. Post
    #16
    Vulcan wrote:
    Technically speaking (AFAIK) a fortigate doesn't have full hardware acceleration
    There's very few scenarios that don't have fast-path on NP6 (feel free to make a list) while there's a lot on Ubiquiti: https://help.ubnt.com/hc/en-us/artic...are-Offloading

    Vulcan wrote:
    Now guess what product uses purely Octeon CPUs for fulltime hardware acceleration
    Guess what vendor makes their own ASICs at a significantly lower price than the competition? Guess which vendor uses parallel path processing for better performance?
    https://www.fortinet.com/products/fo...fortiasic.html

  17. Post
    #17
    Depending on what you're using it for it can kick you in the backside. For ISP/Telco stuff not much. But for enterprise stuff there are plenty of challenges for example for the NPs:

    Sessions that require proxy-based security features (for example, virus scanning, IPS,
    application control and so on) are not fast pathed and must be processed by the CPU.
    Sessions that require flow-based security features can be offloaded to NP4 or NP6
    network processors if the FortiGate supports NTurbo.
    For enterprise features you have to use proxy mode on the forti. The flow mode functions are severely limited when compared to other firewalls (PAN, Checkpoint, Sonicwall etc).

    I found in an enterprise environment (with all the IPS/AV/web filter/app control/ssl decrypt) the sonicwall owned the fortigate in throughput. In an ISP/telco the fortigate definitely kicked arse.

    Not sure it applies, but I don't like fastpathing on a layer7 firewall. Palo Alto have been caught out a few times as they use a similar feature which once a flow is identified they stop inspecting it, leading to potential security bypasses. You can turn it off but then their performance numbers drop against the brochures.

    The Forti hardware guide was my go to document when selling against them. To bad sonicwall is disappearing in APJ.

  18. Post
    #18
    tbh firewalls aren't the place to do AV/IPS/etc - get a proper appliance (I know NZ is too cheap but I'm talking in an ideal world). "next gen" firewalls have struggled with these features since day dot (and here we are a decade+ later and we've got the same same shitty performance, same shitty effectiveness). I have zero faith in traditional firewall vendors, it's always a laugh to see them at security conferences.

  19. Post
    #19
    I disagree, since Sonicwall went Cavium Octeon their performance has been good. I do hate how some vendors absolutely lie about their performance numbers though. I've always run them in my home lab, and have always been able to demonstrate solid performance that aligns with the spec sheets. And I still do.

    Have you see the Sonicwall capture ATP stack? It's brilliant...

    Sonicwall identifies flows of interest (e.g. HTTP, FTP, SMTP etc)
    App control identifies files of interest (FOI)
    FOI hits signature based/cloud signature based engine -> bad is dropped (process stops), unknown proceeds
    FOI hits ATP cache -> known bad is dropped (process stops), known good is passed (process stops), unknown proceeds
    - milliseconds into process
    FOI hits AV aggregation engine (similar to VirusTotal, 60+ engines), known bad drops (process stops), unknown proceeds
    - ~4 seconds into process
    FOI hits cloud sandbox engines (3 diverse vendors, Sonicwall, VMRay, and Lastline), assessed bad is dropped or reported depending on your setting, otherwise passed. ATP Cache updated with verdict. Known bad triggers feed into signature engine (~24 hours to hit engine for signature QC).
    - ~4-8 mins into process

    That engine is absolutely awesome imho, they pick up 16000 new bits of malware per month (not variants on existing signatures, actual new stuff). What I love about it is the way they've included diverse engines and scanners giving maximum visibility.

  20. Post
    #20
    performance is just one problem, effectiveness is the other.

    doesn't matter how brilliantly it's designed if it is ineffective - sure that will stop virus.exe/EICAR in an email or whatever but network AV can never ever come close to what a host based solution can do (and even those host based ones are also woefully inadequate).

    these days anyone can literally pick up a tool and in 5 minutes create a highly encrypted 0/60+ virustotal malware that only detonates on the target host - no external signatures/sandboxing is gonna help there, your only hope is heuristic analysis on the host as the malware actually runs.

  21. Post
    #21
    Network AV has many advantages over host based AV. But I don't advocate for no hosted based AV, I like to have both (I run Cylance on all my home PCs). You do realize the cloud sandbox stuff not only runs the sample (a single sandbox my utilize multiple OS's) but will pull it apart? This stuff is heavily tested, Lastline does really well in the NSS Labs breach detection tests and that's just one engine they use (many of the FW/ES/AV vendors use the lastline engine).

    A lot of the vendors also share data. So now with the sandbox engines everywhere (note these are nothing like the stuff thunderstorm goes on about) they are giving AV vendors a good lead on new malware. Sonicwall had wannacry signatures 3 weeks before it hit because their ATP picked up early variants.

    So I have performance, I have effectiveness. And I don't have cost blowouts.

    FWIW as a comparison I run a TZ-600, with everything on (SSL Decrypt, interzone IPS/AV/AT/App control/Web filtering, + , SSO hooked into AD, wifi management and VPNs) and I get around 700Mbps throughput (maybe more) of blended throughput.

    Also...I understand where you are coming from. One of the biggest problems I had was other vendors claims, there was one particular vendor (begins with S) whos numbers and claims around their product absolutely ridiculous, and then all firewall vendors get tarred with the same brush because of them. I also had an issue with people who I worked with who did not understand our strengths or weaknesses, most commonly trying to position us as a DC product.

  22. Post
    #22
    i'm sure it would stop most large scale malware and for that purpose it has a place (but so does Defender).

    what i'm talking about is the super targeted stuff that will only decrypt/detonate on a single computer, a sandbox engine can try ripping it apart but it's only going to see gibberish. though to be fair if you are being targeted like that there probably isn't any AV that's going to help.

  23. Post
    #23
    Well that is the sort of stuff they test in NSS Labs... so...

    And what is the reality of that sort of malware, how does it decide to detonate - and do those factors help identify it? Some malware traps will catch simply based on the obfuscation factors.

    Some of the guys that write this stuff are on another level above the malware guys, I used to chat with Aleksandr Dubrovsky every chance I could (look him up). His knowledge of malware was insane, his team had people well into the dark web and many many interesting malware kit samples.

  24. Post
    #24
    yea - it's a never ending battle. having said that, I have not yet found an AV that was impenetrable.

  25. Post
    #25
    sorceror wrote:
    tbh firewalls aren't the place to do AV/IPS/etc - get a proper appliance (I know NZ is too cheap but I'm talking in an ideal world). "next gen" firewalls have struggled with these features since day dot (and here we are a decade+ later and we've got the same same shitty performance, same shitty effectiveness). I have zero faith in traditional firewall vendors, it's always a laugh to see them at security conferences.
    Despite what DELL_Vulcan SWL_Vulcan Vulcan thinks you can get near Gigabit levels of protection (every feature enabled) from a 200E up

    sorceror wrote:
    your only hope is heuristic analysis on the host as the malware actually runs.
    Check out FortiSandbox (Physical/Virtual/Cloud), anything it catches is then blocked on both the network and endpoints. Ideally you have AV on Server+Endpoint+Network as a minimum then additional stuff like IPS/WAF/DLP/Sandboxing on top.

    Vulcan wrote:
    FWIW as a comparison I run a TZ-600, with everything on (SSL Decrypt, interzone IPS/AV/AT/App control/Web filtering, + , SSO hooked into AD, wifi management and VPNs) and I get around 700Mbps throughput (maybe more) of blended throughput.
    "SSL Decryption Throughput - 200Mbps"