Firewall/Router for SMB site to site VPN

[snapper 38]

On 29/01/2018 at 10:47 PM, schoondoggy said:

 

Ubiquiti Enterprise Gateway Router

https://www.ubnt.com/unifi-routing/usg/

Anyone worked with either/both of these?

Thoughts?

Other recomendations?

 

Unless they already have other UniFi stuff deployed, I wouldn't recommend the USG standalone just for VPN.

That said, if IDS/IPS is useful, Chris Buechler (pfSense co-founder) now works for Ubiquiti and they now have USG beta firmware with IDS/IPS...

 

My choice would be the Ubiquiti Edgerouter 4: https://www.ubnt.com/edgemax/edgerouter-4/

Dunno if they are any good as I'm UK, but Baltic Networks has them listed at $170

 

[itGeeks 181]

The Ubiquiti Edgerouter 4 looks interesting but I have heard from others that the most basic tasks like port forwarding is a bit of a challenge and not strait forward. Over the recent years I have taken the stance that if firmware updates are not automatic and the most basic of setup is not end-user friendly I am not interested.

Edited February 2, 2018 by itGeeks

[snapper 38]

1 hour ago, itGeeks said:

The Ubiquiti Edgerouter 4 looks interesting but I have heard from others that the most basic tasks like port forwarding is a bit of a challenge and not strait forward. Over the recent years I have taken the stance that if firmware updates are not automatic and the most basic of setup is not end-user friendly I am not interested.

 

May have been the case a few years back but port forwarding is a simple GUI web page now.

 

Ref the updates, as this is not for home use, any firmware updates should be done under some form of change control to prevent any downtime to the users, so not having auto update firmware is actually a plus in this situation...

 

[itGeeks 181]

schoon,

You have anything new to share on this project? Was wondering if you decided on a solution?

[itGeeks 181]

@snapper,

I guess I agree to disagree and it could be open to debate. If the business has an in-house IT person maybe but I know from my own experience out of sight out of mind and something as critical as your router that is supposed to help protect you should not be forgotten about. The sad truth they won't get updated. Most routers I dealt with have a "Schedule" for firmware updates so you set it for a time when no one needs the network/internet....

[snapper 38]

14 minutes ago, itGeeks said:

@snapper,

I guess I agree to disagree and it could be open to debate. If the business has an in-house IT person maybe but I know from my own experience out of sight out of mind and something as critical as your router that is supposed to help protect you should not be forgotten about. The sad truth they won't get updated. Most routers I dealt with have a "Schedule" for firmware updates so you set it for a time when no one needs the network/internet....

 

Always up for a debate

 

As this is a business, you need to put a business risk lens on it.

 

Having uncontrolled firmware updates could potentially mean unexpected downtime for that company which may mean loss of revenue.

What happens if the firmware is faulty and causes issues to other areas? (e.g. recent Intel microcode updates for Spectre and Meltdown caused unexpected reboots)

The firmware update itself might fail and the first anyone knows about it is when they come into the office and they can't work.

 

I'm all for timely updates, but in a business, they should form part of the IT risk profile that is acceptable for that company.

e.g. if a firmware fix doesn't fix anything but the GUI, should they take it at all, is the risk of downtime / bricked router worth a GUI fix?

 

At home however, the risk of a firmware issue is much smaller; I have auto-firmware updates enabled where possible as I'm happy to accept the risk of an issue arising...

 

[schoondoggy 785]

1 hour ago, itGeeks said:

schoon,

You have anything new to share on this project? Was wondering if you decided on a solution?

Yup.

They decided to do what I recommended they do in the first place. I did not think they would spend this much, so I did not list it as an option in this thread. A local VAR that is focused on SMB customers will be their IT department now. They will be installing a Fortinet Fortigate 60e in each facility with the full UTM bundle and configure the site to site VPN:

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf

The VAR will check/update the Fortigates and review threats.

 

Thanks to everyone for the input, I appreciate it. 

 

[itGeeks 181]

Thanks for the update, Then it sounds like it's a win win for all involved

[kylejwx 28]

I'm interested if the Fortinet is still working well for this situation. I just searched this forum for Fortinet and found this thread. I'm actually interested in learning more about Fortinet in general. I was at a recent EdTech conference and they were everywhere. Seems like their range of products covers everything in the network, from firewalls to Access Points. They even have a phone system I'm looking into.

[schoondoggy 785]

On 11/16/2019 at 10:38 PM, kylejwx said:

I'm interested if the Fortinet is still working well for this situation. I just searched this forum for Fortinet and found this thread. I'm actually interested in learning more about Fortinet in general. I was at a recent EdTech conference and they were everywhere. Seems like their range of products covers everything in the network, from firewalls to Access Points. They even have a phone system I'm looking into.

It seems to be going fine, no issues. VPN works as expected. The VAR that installed it takes care of the technical aspects. The customer complains about the support cost, but thy do not have their own IT, so they need the help.

Fortinet does very well with SMB and education. I am not sure how cost effective their WAP's are, but they seem to be a nice end to end solution.