Jump to content
RESET Forums (homeservershow.com)
schoondoggy

Firewall/Router for SMB site to site VPN

Recommended Posts

snapper
On 29/01/2018 at 10:47 PM, schoondoggy said:

 

Ubiquiti Enterprise Gateway Router

https://www.ubnt.com/unifi-routing/usg/

Anyone worked with either/both of these?

Thoughts?

Other recomendations?

 

Unless they already have other UniFi stuff deployed, I wouldn't recommend the USG standalone just for VPN.

That said, if IDS/IPS is useful, Chris Buechler (pfSense co-founder) now works for Ubiquiti and they now have USG beta firmware with IDS/IPS...

 

My choice would be the Ubiquiti Edgerouter 4: https://www.ubnt.com/edgemax/edgerouter-4/

Dunno if they are any good as I'm UK, but Baltic Networks has them listed at $170

 

  • Like 1

Share this post


Link to post
Share on other sites
itGeeks

The Ubiquiti Edgerouter 4 looks interesting but I have heard from others that the most basic tasks like port forwarding is a bit of a challenge and not strait forward. Over the recent years I have taken the stance that if firmware updates are not automatic and the most basic of setup is not end-user friendly I am not interested.

Edited by itGeeks

Share this post


Link to post
Share on other sites
snapper
1 hour ago, itGeeks said:

The Ubiquiti Edgerouter 4 looks interesting but I have heard from others that the most basic tasks like port forwarding is a bit of a challenge and not strait forward. Over the recent years I have taken the stance that if firmware updates are not automatic and the most basic of setup is not end-user friendly I am not interested.

 

May have been the case a few years back but port forwarding is a simple GUI web page now.

 

Ref the updates, as this is not for home use, any firmware updates should be done under some form of change control to prevent any downtime to the users, so not having auto update firmware is actually a plus in this situation...

 

Untitled.jpeg

  • Like 1

Share this post


Link to post
Share on other sites
itGeeks

schoon,

You have anything new to share on this project? Was wondering if you decided on a solution?

Share this post


Link to post
Share on other sites
itGeeks

@snapper,

I guess I agree to disagree and it could be open to debate. If the business has an in-house IT person maybe but I know from my own experience out of sight out of mind and something as critical as your router that is supposed to help protect you should not be forgotten about. The sad truth they won't get updated. Most routers I dealt with have a "Schedule" for firmware updates so you set it for a time when no one needs the network/internet....

Share this post


Link to post
Share on other sites
snapper
14 minutes ago, itGeeks said:

@snapper,

I guess I agree to disagree and it could be open to debate. If the business has an in-house IT person maybe but I know from my own experience out of sight out of mind and something as critical as your router that is supposed to help protect you should not be forgotten about. The sad truth they won't get updated. Most routers I dealt with have a "Schedule" for firmware updates so you set it for a time when no one needs the network/internet....

 

Always up for a debate :)

 

As this is a business, you need to put a business risk lens on it.

 

Having uncontrolled firmware updates could potentially mean unexpected downtime for that company which may mean loss of revenue.

What happens if the firmware is faulty and causes issues to other areas? (e.g. recent Intel microcode updates for Spectre and Meltdown caused unexpected reboots)

The firmware update itself might fail and the first anyone knows about it is when they come into the office and they can't work.

 

I'm all for timely updates, but in a business, they should form part of the IT risk profile that is acceptable for that company.

e.g. if a firmware fix doesn't fix anything but the GUI, should they take it at all, is the risk of downtime / bricked router worth a GUI fix?

 

At home however, the risk of a firmware issue is much smaller; I have auto-firmware updates enabled where possible as I'm happy to accept the risk of an issue arising...

 

Share this post


Link to post
Share on other sites
schoondoggy
1 hour ago, itGeeks said:

schoon,

You have anything new to share on this project? Was wondering if you decided on a solution?

Yup.

They decided to do what I recommended they do in the first place. I did not think they would spend this much, so I did not list it as an option in this thread. A local VAR that is focused on SMB customers will be their IT department now. They will be installing a Fortinet Fortigate 60e in each facility with the full UTM bundle and configure the site to site VPN:

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf

The VAR will check/update the Fortigates and review threats.

 

Thanks to everyone for the input, I appreciate it. 

 

  • Like 1

Share this post


Link to post
Share on other sites
itGeeks

Thanks for the update, Then it sounds like it's a win win for all involved:)

Share this post


Link to post
Share on other sites
kylejwx

I'm interested if the Fortinet is still working well for this situation. I just searched this forum for Fortinet and found this thread. I'm actually interested in learning more about Fortinet in general. I was at a recent EdTech conference and they were everywhere. Seems like their range of products covers everything in the network, from firewalls to Access Points. They even have a phone system I'm looking into.

Share this post


Link to post
Share on other sites
schoondoggy
On 11/16/2019 at 10:38 PM, kylejwx said:

I'm interested if the Fortinet is still working well for this situation. I just searched this forum for Fortinet and found this thread. I'm actually interested in learning more about Fortinet in general. I was at a recent EdTech conference and they were everywhere. Seems like their range of products covers everything in the network, from firewalls to Access Points. They even have a phone system I'm looking into.

It seems to be going fine, no issues. VPN works as expected. The VAR that installed it takes care of the technical aspects. The customer complains about the support cost, but thy do not have their own IT, so they need the help.

Fortinet does very well with SMB and education. I am not sure how cost effective their WAP's are, but they seem to be a nice end to end solution.

  • Thanks 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...