If your company has on site hypervisors you could also run this in a VM. @bfo
This is exactly right. In my experience on modern hardware you can easily run multiple 10Gbps interfaces with software routing/firewall without a noticeable performance impact. With the new BPF stuff in Linux or using the BPF in BSD like PFsense or OPNsense do then you could probably get even higher performance depending on your specific hardware and the complexity and amount of your filters.
Also if you are concerned about that there are new network cards that have FPGAs on them that can be programmed through BPF code to handle 100Gbps+ with many complex filters.
In my opinion the industry has been moving away from dedicated router hardware and the general purpose server hardware has caught up to being able to compete or beat it as the manufacturers have followed what their customers want.
1 Like
Wow guys, I was not expecting so much responses on this topic. Thank you all.
@risk explain my situation a bit more.
There is a 1 central office, with around 10 users, and a server, and 8 remote branches each with 1 user (PC - its a retail store) with WiFi for customers and video surveillance.
Problem is that in some branches people used the company time and internet for watching reality TV, Facebook, Instagram all in company time. So until now it was not regulated at all, and customer WiFi was on the same network, what is for me a huge problem.
What I have in my area is that vendors usually offer refurbished hardware from Cisco and Barracuda.
Running pfSense or something like that would not be a problem for me (linux is not that hard if you have time to play with it), but the problem is in maintenance, since all locations are around 150-200 miles from the central office, and road infrastructure is, well in lack of better words, pretty bad. So that would be also pain in the ass to do.
I was looking into Ubiquity for this, since you can manage it all from one place, or something similar.
I could probably do this all with DNS filtering, but I was hoping to also close all the ports that donât need to be opened on the network and have a bit more control over whatâs happening.
1 Like
Is there currently HW deployed in some form that does the routing/FW? Or are they currently working âOfflineâ from the rest of the company?
(Not Only) for pfsense, there is always the option to manage it remotely. Yes, you have to login to each system and donât have a fancy dashboard for all but other than that, there is SSH and a WebGUI available to configure everything (No need for SSH, WebGUI can handle everything). No need to be on prem.
Regarding WiFi, if you want to change it, yes, Iâd go with Ubiquiti too.
As said, with pfsense (and some others too), they can be run on cheap consumer HW. Old PCs are fine. Just check to make sure they have decent NICs in them. For Pfsense there is also a version based on espresso.bin board to be found here. Would be my preferred solution.
But since you donât seem to need a true FW solution with many features or MultiWAN or stuff like that, maybe Ubi is the easiest way.
Anybody else with more cheap and easy options for the OP?
1 Like
PFsense and OPNsense have ssh and web interfaces that can be used for remote management. In my experience once it is setup the only real maintenance that needs to be done is updates. OPNsense has Sensei which is a paid service that can do content filtering if you want to pay for that, or you can use something like PiHole to do DNS filtering, or the Squid setup available in both PFsense and OPNsense to do some mix of both. You also have the option of using Suricata for similar filtering.
Again no need to go to location to manage it, OPNsense has wireguard VPN so you can use that pretty easily to add more security to the remote management.
While these options can be good I would be careful about hardware that could be EOL so no support or updates which could leave significant vulnerabilities open especially with Ciscoâs recent track record of needing to constantly patch out hard coded usernames and passwords with varying levels of access.
I still would throw out Mikrotik as a cheap solution. You can get hardware like this:
if you want one device that could do it all or something like this:
For just routing/firewall.
If you donât need much in the way of filtering which is what it sounds like those could be good options to consider. You can also install their software on PC hardware and I have dual core systems with 2GB RAM handling up to 120Mbps traffic with IPSec tunnels, IPIP tunnels, routing, and quite a few pretty dynamic firewall rules that include regex content filters and the CPU and RAM are barely used at all with that.
I just donât have that level of faith in the software. Iâm not saying youâre wrong, I just have so much trouble believing this given the shambles level of quality in software and the bazillions of flaws in all the commodity chips from Intel, etc.
Wasnât there like, a serious elevation flaw in Linux that was only fixed in 2012, in all versions despite it being one of the oldest OSâs anywhere?
Itâs not that I donât believe you, I CAN believe you, but it takes borderline magical thinking for me to get there, lol.
For WAPs, I would recommend the MikroTik cAP or cAP lite
I used two of the later managed by a MikroTik router on a Lan party. Was pretty painless to set up.
Mikrotik can do it alright e.g. a single cAP ac or hap ac^2 per site (or similar) doing L2TP to the central office and providing a pos terminal vlan and random WiFi for employees phones and guests and stuff.
In a central office youâd just need to terminate these L2TP.
Router OS is a heavily skinned Linux, same way Samsung phones use heavily skinned Android, a lot of the iptables stuff leaks through, but you get a clicky UI to set things up. Theyâre configurable using ssh, and you can dump the current config using /export in the form of statements youâd need to issue on the command line to reconfigure the device. Check these into a git repo and youâre done. If/when devices die, ship tested spares from the central office. (theyâre $70 per device). You can just buy a pair of these for your lab or to use as spares to ship them out to sites that need them.
Branches wouldnât need to move all traffic through a central office, just work stuff that would end up there anyway and dns and such. Random âWikipediaâ or whatever browsing, or Spotify, or YouTube or whatever else, can probably go online just fine directly. If youâll have tens of thousands of IPs in a blocked set or some such thing - you might have issues with a $70 device.
You canât stop a single person at work pulling out their phone during business hours and watching porn if theyâre so inclined - you just need to discourage it, and protect the work equipment like POS terminals / cameras from malware and breakages⌠if you give those individuals an unfiltered guest network they canât use for work stuff , theyâll keep their personal devices off of the high value work network, and keep work devices protected on the work network.
For central office, use pfsense (perhaps a pair of them for redundancy, itâs 10-20 people after all). Your use case is pretty much a perfect fit in terms of size/effort, assuming they have a permanent it admin position. You can get their (netgate) hardware so that you donât have to bother expensing the business for individual Newegg components or deal with potential âmy ram is flaky, how do I RMA itâ.
Now, mikrotik WiFi sucks compared to ubiquiti , itâs just slow and not as reliable. Youâll likely have ubiquiti APs in the central office. So⌠probably youâll want to deploy the same thing remotely as well. In which case youâre looking at an edgerouter-x + pick some unifi ap on each site⌠same topology applies ie. low bandwidth L2TP to central office for DNS and work stuff.
Central office is easier, pfsense is probably a perfect fit in terms of effort/finances/capabilities. Same deal/logic applies with segregation of camera vlan/server vlan/work vlan/guest vlan. Ironically Facebook and other social media is a useful tool for getting to know your customers better, but itâs still easier to airgap such behavior onto the guest vlan if you consider it a risk (have a pair of Chromebooks on a guest network floating in the central office if you have a need to check your customers history) - itâs not worth managing the whole machinery of intercepting TLS just so you could police 10-20 people who usually just want to do their jobs and will police each other probably, as well.
2 Likes
So I have decided that USG is not worth it.
For now Iâm considering MicroTik , or
Netgate SG-1100 for branches and SG-3100 for central office. pfSense looks like it could do fine with what I need and I can add additional DNS filtering to it quite easy.
Any other solution just gets way to expensive with licences etc.
1 Like
That is definitely something to worry about but, that is no worse and actually seems a lot better than this
https://www.cvedetails.com/vulnerability-list/vendor_id-16/product_id-19/Cisco-IOS.html
Oh yea, youâre right⌠Do you think these iOS flawâs are embedded in the hardware though?
Iâve never looked into itâŚ
Not that I know of, but many Cisco routers and firewalls use Intel CPUs so same vulnerabilities in a pure software solution would apply. Bigger worry is how many of the Cisco vulnerabilities are stupid things like hard coded username and passwords, or auth bypass just by going to a specific URL. At least with open source software like PFsense and OPNsense many people can and have looked at it to make sure things like that donât exist there. Not that there are not other vulnerabilities.
Blah, câmon Cisco⌠These are, like, âthe original gangstersâ⌠and should know better. lol
I like the idea of using a device with a ASIC because, knowing how proud companies are of their ASIC designs, I have more faith that issues will be in the software alone.
This is just a view I have, not based on any empirical study or professional publications.
I think this will be fine. Just a tip to spare you headaches: Test your scenario with VMs first, if you go with pfsense. Just to simulate the power or lack thereof of the appliances to see, if it fits your needs. Saves money and/or returns.
I would also point out that the hardware and software vulnerabilities you mention mostly require access to the system or at least ports open on the internet which are very easily mitigated. Also PFsense and OPNsense are based on FreeBSD not Linux and Mikrotik RouterOS is highly customized Linux.
Just a general note that studies that have been performed on security of software have shown that overall popular open source projects tend to have better security than closed source projects.
I have spoken with many people who have the same view, but the reality is that companies like Cloudflare, Google, Facebook and more have moved away from a lot of the older more well known solutions for good reasons. Some of which being that it is not dynamic enough for their environments, some being that these devices are not any better or more secure than the solutions that they moved to. Cloudflare I know is mostly Linux and software based. Google uses custom hardware, but is still a primarily software based solution, probably general purpose processors supported by FPGAs that they can re-progam when things change. Facebook I am not sure what they use. I think even Microsoft for Azure moved to a Linux based solution for their network stack, probably similar to Google with custom hardware running Linux with sofware and FPGAs doing most of the heavy lifting.
The overall point being that there is nothing wrong with pure software solutions they have been proven out in many cases for networking for many years. The preference for hardware solutions comes from probably mid to early 90âs when they were generally required to get the security and stability required for the networks at the time, but that has changed.
I would also point out that the home router/firewall/access points are all software as well as the lower end Cisco and Juniper small business solutions, they sometimes have ASICs helping with things like IPSec acceleration and some amount of offloading packet processing which is no different than you can get on a good network card, but for the most part they are ARM or low end Intel CPUs usually 5+ years old with software.
2 Likes
yep, as @disarrayer said, test with VMs, definitely grab an x86 pfsense box for central office (not those puny arm machines).
And definitely try the mikrotik stuff before you commit to it - itâs potentially awkward (not sure how comfortable you are with networking fundamentals).
Yes Mikrotik kind of does their own thing. It works quite well but takes a little getting used to, and understanding of network fundamentals can help with this.
Also of note I generally prefer OPNsense over PFsense as they move faster on development and have a much better and more modern interface, but the preference is not very strong as both get the job done very well.
As a user of both ASA (since 2006) and Palo-Alto (since 2017), iâd suggest that for filtering internet sites based on content, etc. get a Palo.
the ASAâs controls for such things are ⌠primitive to say the least (in comparison).
Also, Ciscoâs software quality in general has gone into the toilet.
The advantage of a Palo over something like say, pfsense in a corp environment is that you can just subscribe to their classification service(s) and rather than chasing your tail blocking individual domains/IPs/etc. your device will just classify stuff magically and you can do more important stuff than maintaining a blocklist.
e.g., on mine i have âproxies/anonymisersâ blocked and it auto updates the list from Palo Alto itself, and Iâve blocked a pretty up to date list of them in one self-updating rule.
You can do individual hosts/ports/protocols/etc. as well, but by using classifications your rule-set can cover a lot more in a few rules and be far easier to maintain.
They also do anti-malware, etc.
Not cheap (entry price of say $1000-1500 appliance plus 1000-1500/yr support/subscription), but if the company wants something that actually works and will scale, they have offerings from small 5-10 user office to ⌠ISP scale.
In the scheme of things that may sound a lot if youâve not spent much time around enterprise gear, but its the cost of what⌠2-3 iPhones, and companies tend to hand them out to execs like candy. It shouldnât be too difficult to present a legitimate cost/benefit case for it (or a similarly priced/featured equivalent device).
Oh, sad to hear thatâŚ