Your opinions regarding NGFW


#1

Hi there.

So what are your opinions regarding the UTM/NGFW? are they dying ?as traffic gets more and more encrypted, QUIC, also SSL inspection is finished as many devices do not accept third party certs (which I agree with as MITM is a bad idea in my opinion) .


#2

Thanks you opened a nice discussion topic.
In my opinion, technology always becomes a cat and mouse game. Something that prevents something comes up and soon after, they find a way to bypass that. I have testes Untangled, which Tom did a video by the way, and i like it. Most of the time though i use PfSense. I think the worst experience i had is with SonicWall, i dont recommend you go through the trouble and headache of managing one of those.
The next i have to test is Barracuda Networks, and i have been told they are really really good.
Im sure Firewall companies are already working on new technologies to get around that, cause its in their business to do so.


#3

Hi thank you for taking the time to throw in your thoughts. I used Untangle for 2 years, license just expired and did not renew it again, home license was only $50 but I found that many paid featured were unused, example SSL Inspector has been dead for a long time as google,apple and many PC apps have hard-coded certs so traffic can no longer be inspected , local AV can no longer look into traffic, the only Module that worked is web filter but it only looks at the SNI cert but you cant enforce example safe search and some sites might still pass as SNI was not presented or something, now QUIC blocking that the phones really did not like that everything went leggy like google assist and youtube app sometimes times out on launch, so if most APPS are useless whats the point of paying the license :). there is a saying the more you squeeze, the more sand disappears between your fingers]


#4

I think we will just get better and better at using what little information isn’t encrypted or making inferences from encrypted traffic for filtering purposes. I recently watched a video about a new technology Cisco is working on that would allow deep packet inspection and filtering even for encrypted traffic.

I couldn’t find the detailed video I watched initially, but here’s a Cisco marketing video that covers the concept: Cisco Encrypted Traffic Analytics


#5

Will have a look there thanks for yout info


#6

Firewalls do more than just protect you from the internet. There’s traffic between segments you want to verify and analyze. You don’t need the full packet to verify a connection over 3389 isn’t typical RDP traffic.

Also business LAN traffic often issues their own certs, allowing the firewall to decrypt without interupting the flow.

So as a border / edge device to the internet, it may be more limited given privacy concerns of these tech-giants. But for business use they still have a place.


#7

Barracuda Networks has been trying to get me on board as a reseller and do look favourably at their offerings. Barracuda is geared toward the MSP & MSSP with managed solutions somewhat similar to Untangle. Good reporting and updates. Worth a look. But my goto is still pf-Sense.


#8

Will have a look at Barracuda .
I am thinking of going back to Pfsense since my UT license is expired and am looking at options, looked at some edge and USG but Processing power is so weak and hw offload gets disabled if bandwidth management is required , at the moment I am testing a Mikrotik have set it up done some firewall rules,QOS configs as they have hardware that is more powerful then ubnt like the CCR1009 example but the thing with Mikrotik is there are many steps to configure a simple task,


#9

Mikrotik does take far more effort. Used one of their network taps, had good results especially for the price $35 was part of a Security Onion setup. The most bang for the buck is pf-Sense it just works, easy setup and maintenance, pf-Blocker and Snort add ins make it a powerful choice. Good rule of thumb KISS it. Good luck with your testing.


#10

Microtik has good prices but i dont trust them. There has been too many CVE as time passes. Barracuda on the other hand, is very well made. I think their offices are in California. They also are able to give DEMO solutions (not appliance but for sure via VM) so that your customers can test, before committing.
If you have never tried Barracuda Networks as an option, try, you wont regret it.
I also have PfSense for my Home Lab and Production Firewall inside the company, however, sometimes the client wishes something else. In those cases my second choice to offer is Barracuda.


#11

Clients do have their preferences and as long as they meet requirements and are properly configured no issues. Barracuda Networks has been a solid and reasonably priced solution for the SMB market space, they have expanded the offerings to services and backup. I have zero problem with their products but still have my preferences based on experience. Clients should be offered choice, after all we are not Microsoft.


#12

*We are NOT Microsoft" AMEN to that! :slight_smile: Have a nice day!


#13

Yes looked at Mikrotik and man they have exploits lool and bugs , tried Pfsense again its great but at the end I ended up renewing Untangle and will offer ubnt router for anyone who wants just routing but am still looking at barracuda also, the thing I was so use to getting all the incites a NGFW gives you and control is that plane router felt really frustrating now