Hi,
So I am in a small problem, I need a good firewall solution for a small business, with 9 branch offices around the country.
1 central office with a server, and 8 other offices.
What I need is to block traffic to certain websites like social media, tv sites etc. on local LAN and on WIFI. Was thinking a DNS filtering, but I need a bit more security for blocking ports etc.
I was thinking about Unifi USG or Fortigate 30E?
Do you have any recommendations for a better solution?
I’ve never used the ones you’ve mentioned, so I can’t vouch for or against them. But, Cisco ASA is, I believe, the gold standard. They aren’t cheap; the ones you’ve mentioned probably aren’t either.
I really like the Cisco I use for testing and home.
You can just use a Linux box running iptables or ferm or similar. No need for fancy hardware. It all basically does the same as long as you “just” wanna block some ports and ip addresses.
After over a year of at least monthly patches for very serious security vulnerabilities and more keep showing up I would stay away from Cisco, very far away.
I have been using OPNsense and PFsense for years and more recent implementations running pretty large environments quite well. That being said there are some things like BGP that they do not do well so if you need things like that I would look elsewhere. Also of not been running RouterOS from Mikrotik for quite a while with a good amount of traffic and it is a bit more complicated than OPNsense, but also works very well and has better support for actual routing protocols. That being said Mikrotik is not very fast at implementing newer technology and built their own networking stack so it might take a while to get new tech like Wireguard if that matters at all. Also of note Mikrotik has some good hardware at very reasonable prices for managed switches and routers if you chose to go that route.
Having used a MikroTik RB3011UiAS-RM for a 100 attendee LAN party, worked very well for that (handled just under 2TB in ~50 hours).
Could do the blocking via DNS entries or IP-destination rule.
I highly suggest PFsense with some packages like pfblocker-ng.
Why?
If you need more Info, just summon me or @lawrencesystems (or check out his YouTube for a comparison of Firewalls for example. or the whole of Level1Tech staff 
EDIT: Oh, and FortiNet had way too many security issues for me to trust them (This alone makes me shiver)
+1
But, Cisco ASA is, I believe, the gold standard.
Was the gold standard. They are almost dead at this point, I would expect the end of life for the last few models to come out this year sometime. In any case, they are way too complex for this.
If you really can get away with DNS based filtering, then a pfSense setup would work just fine. It has a nice GUI for everything and can easily do IPsec tunneling. If you don’t want to do DNS filtering because you’re worried that users will just edit their DNS servers to get around it, you can fix that by NATing all outbound UDP/53 request to Umbrella (or whatever DNS based content filtering service you want to use) this makes it so all outbound DNS requests will always be re-written to the DNS server you want it to go to.
If you want to have true content filtering you’ll need to pull out the big guns. You could do a Cisco Meraki setup or a Palo Alto setup (PA-220s). Meraki is a bit easier to swallow, but Palo Alto is the new standard now for enterprise firewalls (to the point that there were hardcore Cisco only VARs that are now selling Palo Alto).
Just block 53 for local to any except FW. Same for other DNS implementations. No need for “big guns” there…
Can you elaborate on why you think this would be necessary (especially in a smaller environment like the OP describes). Honestly just curious, because I haven’t found anything that could not be handled with Pfsense and the like and it’s packages (Even in really big not to be named companies too). Especially with SSL Interception and paid threat/blocklist sources. IF one really needs it. Or think they do.
Train your people, people. Don’t spy on them.
Very interesting… Thanks for sharing @xradeon.
I’m curious if you’ve done any comparative analysis between @Bayden suggestion of using a Linux box with IPTABLES (which could be great if you’re very familiar with mapping Cisco configs to IPTABLES configs) and any other device with an ASIC.
The only time I tried to do something similar to what @Bayden suggested, by creating a “one to one mapping between Cisco based rules and IPTABLES rules” to protect a host, the list became too long and unmanageable. As a result, I didn’t trust my own setup to recreate the ASA in software. The operating system I was using at the time was a less than ideal version of Linux, so this also lead me to distrust the overall configuration.
That’s not to say that someone else who is more experienced with IPTABLES could not have simplified my attempt at this and done this better, effectively replicating the ASA…
There is a key difference between using something like a Cisco device which contains it’s own ASIC, and which itself is specialized for putting hard enforcement on the protocols it’s configured to manage, and something else like a Linux machine configured with IPTABLES. Linux IPTABLES is a well vetted piece of software that I have confidence in, over all. However, ASICS are great in their own right. I’d like to know what someone else thinks about the differences and benefits to each one.
In full disclosure, I am a bit prejudice against the Linux option, not because I don’t trust the software, but because there have been too many flaws in underlying hardware that make the software, no matter how good it is, unreliable in my opinion.
Linux is fine the problem is more the maintenance. I’d never suggest it.
PfSense is an option but again keep in mind the maintenance considerations. Also keep in mind if you’re a third party to this company you can’t sell pfsense specifically as a solution without a license.
At work we use Sophos XG Firewalls with Site-to-Site VPNs enabled for communication between the regions. It has been relatively painless and the maintenance contract on it save our ass one instance as there was a hard drive failure. The Sophos guys replaced the entire unit so we could get up and running again as soon as possible.
I kinda want to deploy some minipcs with PFSense to act as a failover though to act as an interim for those instances we do go down and need temporary connectivity until the primary unit is online again.
uhm? checks again, small business with 9 branch offices ???.. I mean I get that it probably actually is a small business since you’re asking a question on behalf of the small business here,… rather than relying on someone qualified you’re employing to do the research and implement a solution. … the 9 branches thing just sounds strange.
How big is each office… do you need guest wifi at each place, is it 50 people is it 2 people and 50 devices … what’s the story?
technology wise:
either pfSense or OpenWRT will do the simple things you need (web ui + dhcp + routing + ip filtering + vpn + dns caching and filtering using pi-hole with your own lists, or luci-app-adblock or whichever)
also, Ubiquiti with UNMS controller with edgerouter gear managing all sites/branches from a single ui, coupled with a Unifi controller doing the same for wifi on each site/branch + one central pihole for dns filtering blacklisting/whitelisting might also work for your use case. It could offer you the same as the solutions above (pfsense/openwrt), except centrally managed and software/hardware pairing would be supported by a vendor. I think maintenance might be even easier than pfsense/openwrt. If your branch offices are really small you could even run them on a $50 edgeorouter-x router. It’s generally not a bad setup for the money.
The thing you should avoid with all of these solutions, no matter who advertises them or provides them is “deep packet inspection” or use cases that mention stuff like IDS. It’s very powerful when done properly, however pattern matching and decrypting all https/tls traffic sessions and decoding all protocols (properly) makes it algorithmically and CPU intensive. Dealing with a simple home-grade connections requires a decent desktop class cpu, and a decent server grade machine for 10Gbps. Managing these machines (generally implemented using suricata) takes lots of effort relative to just blocking and filtering (whitelist/blacklist) DNS using pihole or a similar solution.
Basic ip/port/dns based filtering such as you described, is generally ok to do with either pfsense/openwrt/ubiquiti. It’s not that cpu intensive, in general if you have enough “horsepower” to NAT traffic, you can do this kind of filtering.
Sonicwall, its a business and you probably dont have a team of nerds to support homebrew when it breaks.
things are quite stable in centos land
Sure. forgetting the hardware maintenance, support contract, OS management updates and upgrades, there’s also the fact that you have to manage the actual iptables firewall. Because no one else is going to do it if they even know how.
Thats the problem. iptables is fine. Id never suggest someone use it as their core firewall for their business.
This is why I’m thinking ubiquiti over pfsense or openwrt … you get easy and clicky clicky backups/restores/upgrades/downgrades/provisioning of multiple devices. And controller software is not hard to export and move around… if you really want to.
I think Ubiquiti can host a lot of that for you these days and you don’t even need a local controller.
(I kind of miss 2004 - we didn’t even have openwrt, and were cross compiling kernels, uclibc, busybox, and ppp trying to fit everything onto a 8MB ram/2MB flash DSL-300T … how’s that for maintenance)
Just depends on if you don’t want to do DNS based content filtering. You can do Squid and force users to do a proxy, but Squid is garbage. As far as I know there is not a cheap HTTP interception solution out there. There are also other benefits of going to HTTP interception, like matching traffic to users. Also, I’m saying he has to go for the big guns, DNS based filtering is probably good enough, just putting the option out there.
One thing you also have to think about with DNS is even if you do the NAT trick or block outbound DNS, users can still just modify their own host file if they really want to get around it.
I’ve only been on this forum for just a bit and I’m blow away by the constant pushing of just using a Linux box as a router. I’m not saying it doesn’t work and if you like it that’s amazing, just as a Network Admin there would be no way I’d ever use just a straight up Linux box as any kind of router for business use (if you want to play with it at home that’s fine). So for my suggestion I would not do IPTABLES, I would get some kind of actual network solution, either pfSense, Ubiquity Unifi or Edgerouter, or some other cheap network solution. They work well, they are maintained, can have support contracts, easier to use, and can be ingested easily by a new network engineer if needs be.
Talking about ASICs, it’s not really how you describe it. ASICs are just chips that have been designed to process packets, that’s it. They don’t enforce polices or anything special, they just process network packets very fast. You can do everything an ASIC can do in software, it’s just slower.
Good enough for the businesses I hang out with. Well, some of them. Banks seem to like it. As well as PFBlockerNG.
If they know their IPs, sure. But that’s the same as not using DNS at all. Good luck with that in a time where not even google can be reached via the same IP twice in a row sometimes. Also this is where IP blocking comes in. “My list is bigger than yours” is usually my answer to a users question on how I anticipated how they are trying to circumvent my Facebook blocking for example. AS32934 is my pokemon for that. That said, it is of course also true that there is no such thing as a bulletproof solution…
But I think we either have very different experiences or very different point of views. But I’m curious and like to understand more. But maybe we should - if we do - do this in a different thread. The points we both made should give the OP some usable pointers.