Jump to content
RESET Forums (homeservershow.com)
schoondoggy

Firewall/Router for SMB site to site VPN

By schoondoggy, in Networking

Recommended Posts

snapper    38

snapper
Posted
On 29/01/2018 at 10:47 PM, schoondoggy said:

 

Ubiquiti Enterprise Gateway Router

https://www.ubnt.com/unifi-routing/usg/

Anyone worked with either/both of these?

Thoughts?

Other recomendations?

 

Unless they already have other UniFi stuff deployed, I wouldn't recommend the USG standalone just for VPN.

That said, if IDS/IPS is useful, Chris Buechler (pfSense co-founder) now works for Ubiquiti and they now have USG beta firmware with IDS/IPS...

 

My choice would be the Ubiquiti Edgerouter 4: https://www.ubnt.com/edgemax/edgerouter-4/

Dunno if they are any good as I'm UK, but Baltic Networks has them listed at $170

 

  • Like 1

Share this post

Link to post
Share on other sites

itGeeks    181

itGeeks
Posted (edited)

The Ubiquiti Edgerouter 4 looks interesting but I have heard from others that the most basic tasks like port forwarding is a bit of a challenge and not strait forward. Over the recent years I have taken the stance that if firmware updates are not automatic and the most basic of setup is not end-user friendly I am not interested.

Edited by itGeeks

Share this post

Link to post
Share on other sites

snapper    38

snapper
Posted
1 hour ago, itGeeks said:

The Ubiquiti Edgerouter 4 looks interesting but I have heard from others that the most basic tasks like port forwarding is a bit of a challenge and not strait forward. Over the recent years I have taken the stance that if firmware updates are not automatic and the most basic of setup is not end-user friendly I am not interested.

 

May have been the case a few years back but port forwarding is a simple GUI web page now.

 

Ref the updates, as this is not for home use, any firmware updates should be done under some form of change control to prevent any downtime to the users, so not having auto update firmware is actually a plus in this situation...

 

Untitled.jpeg

  • Like 1

Share this post

Link to post
Share on other sites

itGeeks    181

itGeeks
Posted

schoon,

You have anything new to share on this project? Was wondering if you decided on a solution?

Share this post

Link to post
Share on other sites

itGeeks    181

itGeeks
Posted

@snapper,

I guess I agree to disagree and it could be open to debate. If the business has an in-house IT person maybe but I know from my own experience out of sight out of mind and something as critical as your router that is supposed to help protect you should not be forgotten about. The sad truth they won't get updated. Most routers I dealt with have a "Schedule" for firmware updates so you set it for a time when no one needs the network/internet....

Share this post

Link to post
Share on other sites

snapper    38

snapper
Posted
14 minutes ago, itGeeks said:

@snapper,

I guess I agree to disagree and it could be open to debate. If the business has an in-house IT person maybe but I know from my own experience out of sight out of mind and something as critical as your router that is supposed to help protect you should not be forgotten about. The sad truth they won't get updated. Most routers I dealt with have a "Schedule" for firmware updates so you set it for a time when no one needs the network/internet....

 

Always up for a debate :)

 

As this is a business, you need to put a business risk lens on it.

 

Having uncontrolled firmware updates could potentially mean unexpected downtime for that company which may mean loss of revenue.

What happens if the firmware is faulty and causes issues to other areas? (e.g. recent Intel microcode updates for Spectre and Meltdown caused unexpected reboots)

The firmware update itself might fail and the first anyone knows about it is when they come into the office and they can't work.

 

I'm all for timely updates, but in a business, they should form part of the IT risk profile that is acceptable for that company.

e.g. if a firmware fix doesn't fix anything but the GUI, should they take it at all, is the risk of downtime / bricked router worth a GUI fix?

 

At home however, the risk of a firmware issue is much smaller; I have auto-firmware updates enabled where possible as I'm happy to accept the risk of an issue arising...

 

Share this post

Link to post
Share on other sites

schoondoggy    745

schoondoggy
Posted
1 hour ago, itGeeks said:

schoon,

You have anything new to share on this project? Was wondering if you decided on a solution?

Yup.

They decided to do what I recommended they do in the first place. I did not think they would spend this much, so I did not list it as an option in this thread. A local VAR that is focused on SMB customers will be their IT department now. They will be installing a Fortinet Fortigate 60e in each facility with the full UTM bundle and configure the site to site VPN:

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf

The VAR will check/update the Fortigates and review threats.

 

Thanks to everyone for the input, I appreciate it. 

 

  • Like 1

Share this post

Link to post
Share on other sites

itGeeks    181

itGeeks
Posted

Thanks for the update, Then it sounds like it's a win win for all involved:)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing


×
×
  • Create New...