Untangle (SD-wan) vs pfSense vs else for Secure, Distributed Startup?

Hi LTS Forums,

This is my first post. I’m very thankful to Tom for all the YT videos which help us IT newbies tremendously. I am no IT professional but I have been using computers all my life (I’m 29).

As a small business startup founder, I need to set up an IT infrastructure that is scalable, secure, and ideally open source/not unnecessarily proprietary. I want to comply with CMMS security guidelines for the DoD because we are not yet sure what kind of subcontracting we will be doing. As far as I can tell they are mostly standard, straightforward security precautions but I will post back if anyone is interested to know specifics. If necessary, we will segment the network and only permit in-office personnel to access networks and certain server storage.

For the router, I got a Protectli switch and am debating between pfSense and Untangle.pfSense’s relatively outdated interface, menu complexity, and subpar reporting turns me towards Untangle somewhat. If we were to go the Untangle route, is SD-Wan necessary for full security and monitoring/reporting of remote workers? I am confused as to if/why that would be necessary to buy, and what the pfSense alternative would be for strong remote working access controls and monitoring.

Alternatively, when/at what scale might things like RouterOS, Tomato, or Zabbix network monitoring be recommended.

Any advice is much appreciated!

SD-WAN is a loaded marketing term, with many people using it to mean different things. The main two are:

  1. Automatically choosing between multiple WAN interfaces based on which one has lower packet loss and jitter (important for VOIP and video calls) and/or more advanced assignment of data across multiple WANs. The point of this is to allow a business to use commodity internet connections, instead of more expensive connections with SLAs.
  2. Managing site to site connectivity between branch locations, including over multiple internet connections. The point of this is to not require MPLS, dark fiber, Metro-Ethernet, or other expensive methods of connecting branches together.

You’ll notice that neither of these has anything to do with security. SD-WAN is all about reducing cost by using regular internet connections instead of more expensive guaranteed ones.

PFSense is solid and reliable, and noone would scoff at its basic security. Whether it is right for you largely depends on whether there are reports you are required to run that it can’t provide, or if you are required to run IPS (this is a requirement for example if you process credit cards internally, but I have no idea about the government requirements you mentioned).

I am confused about the separation between the main Untangle firewall operating system, and their SD-WAN operating system. The SD-WAN one definitely has features specific to that use case which aren’t present in the main Untangle system. But all of the NGFW/UTM features of Untangle are missing in their SD-WAN OS.

RouterOS is not going to fulfill your requirements, it doesn’t go beyond regular firewall inspection. It is really designed for no-nonsense routing at low cost.

Tomato is only worthwhile as an upgrade for a SOHO router, and is not intended for your use case. Same goes for OpenWRT/LEDE.

Zabbix can be used for monitoring anything.

Thank you for your reply, brwainer!

Reporting wise, I am concerned that Monitoring the activities of remote workers may be limited by pfSense. For example if I want to easily check that nobody is downloading our files which they shouldn’t be downloading but they Should have access to on a limited basis, wouldn’t the reporting from Untangle show network traffic and file/folder access easier? I believe your point about NGFX/UTM is a good one and it must be present on the standard license at the “admin router”. Because it copies an “admin router configuration” for lack of precise terms, to each remote SD-WAN router, so the features will be present there. I greatly appreciate you explaining to me that SD-Wan, among other things, is not necessary for this implementations’ security and VPN stuff. Speaking of VPNs, do those make SSH SOCKS unnecessary?
I noticed that NordVPN is the only one which has gotten around the new VPN standard’s privacy problems, and am glad it integrates well with Untangle and I assume it would as well with pfSense.

I guess I can hunker down and (re)watch Tom’s videos on the pfSense, Surricata, and Zabbix and see which of those will be needed for required monitoring. But, I would not want to learn those unless there is some general sense that pfSense’s 1. Menu UX and 2. Detailed Reporting are being improved with respect to where it was in the past. Is this open source project making headway in these regards?

As far as I know even Untangle wouldn’t give you reports about specific file access. Some firewalls have builtin detection for things like credit card numbers and social security numbers being sent unencrypted, but I’ve never heard of one that can decrypt file protocols like SMB, SFTP, and NFS. That type of reporting should come from your file server applications.

There are two general ways to handle internet security for distributed networks, and then the hybrid of the two. The first is to have full firewall features and inspection present at each location (each branch office, and every remote employee). The second is to use some sort of encrypted tunnel to send all traffic from the locations to the main office, where you have a fully featured firewall to inspect everything. The hybrid is to have rules to create a split-tunnel - certain traffic which is considered secure, like connections to Office 365, are treated with only cursory inspection before being sent out the local internet connection, while anything else is sent over the tunnel. This used to just be done by IP range rules, but many “SD-WAN routers” now let you do this by more advanced and auto-updated rules that try to classify certain applications. But no all SD-WAN routers have this, you have to do research to verify.

“VPN” is just a tunneling technology. You can use a VPN to connect to your home or office network from other places, with the choice of whether or not to send all of your non-network-related (general internet) traffic over the VPN or not. Or you can join a service that provides their servers as VPN targets, for the purpose of making your internet traffic appear to come from that server and hiding it until it reaches that server - this is what NordVPN does.

What problem specifically did NordVPN solve? If its what I think you’re referring to, provably having no logs which can be subpoenaed, then PIA has done the same and it has held up in court.

The type of improvements you are looking for require a lot of investment. The companies which are investing in PFSense’s development aren’t using it for their in-depth firewall inspection and reporting, they are using it for the more mundane inside-network routing where you don’t need to have intense scrutiny. Where they need inspection and reporting, they use vendors like Fortinet, Palo Alto, and Sophos.

If it was me, and I needed to pass a DoD security audit, I’d hire someone to handle setting everything up and managing it long term.

#1 I’d hire someone with far more experience/knowledge than I have.

#2 you can pass the hat in a breach because the other management company is going to be on the hook for keeping things secure (for many types of breaches).

Can you do it yourself? Probably, but how much time do you have to study all the subjects, then test it all, and finally implement everything into a cohesive package. If you can get close on your own, and then only meet those levels when the job walks in the door, then that might be a good short term goal.

Also of note, and Tom has said this multiple times in multiple videos and this forum: As more and more traffic is being encrypted, less and less of it is able to be inspected. The firewall is not the best place to do data inspection because you would need to set up a Man In The Middle certificate which the traffic is encrypted to so that the firewall can decrypt everything to inspect it, and then encrypt again to pass back to the workstation. You can set this up on many firewalls, but it may look “fishy” to the clients and other software.

Thank you for your input Greg! I will likely get close on our end and work with a partner to finish full compliance; you actually need one as an auditor and they will usually help with compliance before the audit. Very interesting point about the encryption levels today making inspection so difficult. I’ll take your advice here.

Hi brwainer, this is brilliant, thank you for clearing up that a strong firewall at the main office can fully care for the distributed users’ access when implemented properly. Also thanks for the reminder that file controls will be done on the server for that purpose, not so much in the firewall. It sounds like I can get away with just Untangle without sd-wan and that is what I plan to do at this time.

Just remember if you do decide to use one almighty firewall and have every remote user tunneled in, either via a hardware appliance or software on their individual computers, to account for what happens if the main office goes down for any reason. And that their internet access will be limited by the effects of the tunnel and having to go through the main office.

If I was doing this today, I would use Untangle with the full license at the main office, and Untangle without licenses (free applications only which includes their “Tunnel VPN”) at all of the remote locations, and/or the other VPNs that Untangle supports (WireGaurd, OpenVPN, IPSec) for individual computer remote access.

Thank you! I will check out the free remote Untangle for VPNs, to answer your question it was something about dual NATs for Privacy with Wireguard; I like the idea of wireguard over IPSec/OpenVPN but it has to be private right? https://restoreprivacy.com/vpn/wireguard/

Cheers!

But it doesn’t work on anything using TLS 1.3 (which granted is not in wide spread use but is the way things are going)

We have a system in the UK called Cyber Essentials and Cyber Essentials +. If you want to do any sort of government work you need to have them as a minimum. The Essentials is a self certification and pay a registration fee the + is a bit more in depth but they are both very much entry level but best practice.

CMMS is (as I understand it) a framework for IT audit / compliance so presumably you have to have a “qualified” person check you over before the DoD will take you on but you could be working to the framework anyway.

Just look at the list of “Applications”, the ones marked Free are available without any license fee. https://www.untangle.com/untangle-ng-firewall/applications/ And there is basic visibility and remote access via their Command Center even for unlicensed units.

So you are seriously considering sending all your company’s traffic through a remote VPN provider? Because these privacy concerns don’t take effect when you are just making a connection from a remote office/user to your central office. The issue about WebRTC leaking internal IP addresses for example, is going to impact anyone at the central office regardless. And these double NAT and other solutions are practical from the perspective of an internet-access VPN, but would make accessing a company file server and other things at the central office a real pain to manage. In particular if you did the double NAT setup, your internal file server would see all file accesses as coming from just the single IP for the VPN server (or your router if that runs the VPN server). Yes your file server should use use authentication, but now you can’t prove whether USER1’s account was used from USER1’s computer, or USER2’s, which is important in a breach situation.

Brilliant feedback, thank you brwainer. In that case I will not use a remote VPN provider of NordVPN since it. I wonder if Wireguard, openVPN, or IPSec is best if it is hosted by my own router?
I see webRTC leaks are also mitigated by uBlock origin, can anyone tell me if this is always the case?

I bought the monthly Untangle complete license and I think it works with all 3, but wireGuard is less private for webRTC leak reasons so I’m finding online that openVPN is most secure + private.

OpenVPN and IPSec are equal for privacy and security in my opinion. OpenVPN is easier to deal with because it behaves more like standard client/server software. With IPSec, both ends are basically a server, to put it in normal networking terms. I would start with OpenVPN, and consider WireGuard if OpenVPN turns out to be too slow (but oftentimes with VPNs between sites the slowdown will come from connections between the sites - for example I have a VPN tunnel between a site on Cox Communications and a site on Verizon Fios - the sites are about 10 miles apart, but the traffic between them goes to the DC Metro area in order to change between the companies, and I can never get more than 25Mb/s).

I have not been concerned with WebRTC leaks so have not done any research into it.