Router/Gateway with Greater Security than traditional consumer equipment

silekonn

Junior Member
Mar 15, 2010
8
0
66
I currently utilize an off the shelf Netgear router. I am hoping to move to something with better security. I set up an Ubiquiti Unified Security Gateway (USG) and was told its advantage is in part IDS/IPS (aside other features).

Some research shows options are numbered: Sophos, Sonicwall, Untangle, pfSense, Fortinet and Watchguard among the up and coming consumer offerings, Norton Core, Cujo (terrible reviews), BitDefender Box, etcetera. My budget is up to $1,000 or slightly North and if necessary $2-300 for a yearly subscription.
I am not a network administrator. I do have technology expertise. I set iup the USG in a few minutes and the device only cost $110. It leads me to believe consumer equipment should and can be bested and without paying for something astronomical (e. g. an $1x00 yearly Meraki subscription, before the price of the hardware). Can anyone recommend a step up?

Thanks in advance.
 

mnewsham

Lifer
Oct 2, 2010
14,539
428
136
Something like this with pfSense on it.

https://www.newegg.com/Product/Product.aspx?item=N82E16856173150

It's dual NIC, so i'd suggest connecting a 5-port+(depending how many wired devices you'll need) gigabit switch, and a Ubiquiti access point for wifi. Let the pfSense router handle the WAN/LAN aspect, and let the ubiquiti access point handle the Wifi. I assume your current setup is already similar if you're using a USG.
 

sdifox

No Lifer
Sep 30, 2005
94,999
15,122
126
What is the network size and wan traffic like?

Netgate SG3100 with 3 year pro support is US1393

Should be plenty for SMB
 

GPz1100

Senior member
Jun 10, 2001
354
3
81
For home use sophos offers a free 50 client license. It meets my needs well. Speed capability is a function of the hardware you run it on. Virtualized on a i5 6600K with 6GB of ram assigned it can process ~300-400 mbps per connection on my gigabit pipe. Multiple connections (clients) needed to saturate the pipe. Certain content (like several speed test site locations) bypass the ips/snort scanning which results in full bw available for that type of traffic.

Pfsense can do more but is more complicated to set up for the novice (not that utm is basic, it is easier for the novice).
 

Burner27

Diamond Member
Jul 18, 2001
4,447
48
91
Been out of the loop for a while, but can pFsense be a legitimate UTM if you install and configure the correct packages?
 

mnewsham

Lifer
Oct 2, 2010
14,539
428
136
can pFsense be a legitimate UTM if you install and configure the correct packages?
really depends how you define a legitimate UTM device.
UTM can be basic as hell if your network setup and expected use-case is simplistic enough. But UTM can also be a massive beast of a thing that's protecting 1000+ devices with dozens of different use-cases so it needs to cover a much larger spectrum of possible threats.

In my opinion, for a home or small business, yes pFsense can be a legitimate UTM. For a medium sized to large business, then it would depend on more specifics about use cases, but largely it would not be sufficient.

Remember, much of what a UTM does relies on constant updates of new threats that are being discovered, purpose built UTM devices built for enterprise customers cost a LOT of money, but come with generally more robust updates than the free-ware alternatives that pFsense relies on. However, since enterprise customers are much more likely to be a target of industrial espionage or other similar threats, it isn't necessarily needed for the average user, and thus the free options even if they aren't as good as high end UTM options, are still good enough for the vast majority of folk.



pFsense with Snort, Squid, HAVP is going to be pretty decent. But with as much HTTPS traffic is happening these days, realistically every client device should do it's own anti-virus protection and malware protection, you can't realistically rely on a UTM to fully protect against that.
 

GPz1100

Senior member
Jun 10, 2001
354
3
81
Sophos utm has a transparent proxy function for https scanning. It does require installing utm's web certificate on client's pc's. This may be challenging on some devices such as android.
 

Genx87

Lifer
Apr 8, 2002
41,095
513
126
Sophos utm has a transparent proxy function for https scanning. It does require installing utm's web certificate on client's pc's. This may be challenging on some devices such as android.

Phones will have an issue. Maybe an MDM would be able to deploy the certificate? Or subnet them off and not inspect. Also HTTPs decrypt\encrypt is very resource intensive. Expect a large drop in throughput when enabling this feature for HTTPS traffic. HTTPS inspection is on my bucket list of things to get done.
 

silekonn

Junior Member
Mar 15, 2010
8
0
66
Apologies it took me a while to return. To begin what should have been clarified was I am seeking a minimal maintenance system. I would like something my family can use without having to ask for exclusions and reconfiguration. If it works out I will recommend a similar setup for other family members. If pfSense the solution?
 

sdifox

No Lifer
Sep 30, 2005
94,999
15,122
126
Apologies it took me a while to return. To begin what should have been clarified was I am seeking a minimal maintenance system. I would like something my family can use without having to ask for exclusions and reconfiguration. If it works out I will recommend a similar setup for other family members. If pfSense the solution?

Sophos is more user friendly, though trusting firewall configuration to family members is err sanguine.
 

mnewsham

Lifer
Oct 2, 2010
14,539
428
136
Sophos is more user friendly, though trusting firewall configuration to family members is err sanguine.
Yea, networking is very individual, you can't just have a turn key solution that works for everyone without needing configuration and setup particular to THAT network/location.

I agree sophos is probably the most user friendly, but it is not something I'd trust friends and family with configuring.
 

GPz1100

Senior member
Jun 10, 2001
354
3
81
I agree with the above. I generally have a good idea what I'm doing, but sophos utm can still be challenging. Part of the challenge is it doesn't quite operate like a traditional firewall.

Doug Foster explains it best in this article : https://community.sophos.com/produc.../w/utm-wiki/13/read-me-first-utm-architecture

Still, once you get a handle on it, it's quite a good system. Also, sophos has their XG product. It doesn't have the same limitations as UTM, but is confusing in other ways. I've yet to figure it out and decided to stick with UTM.
 
  • Like
Reactions: ch33zw1z

Rifter

Lifer
Oct 9, 1999
11,522
751
126
Apologies it took me a while to return. To begin what should have been clarified was I am seeking a minimal maintenance system. I would like something my family can use without having to ask for exclusions and reconfiguration. If it works out I will recommend a similar setup for other family members. If pfSense the solution?

Then stick with a off the shelf router. If you are looking for better security that comes with a cost of configuration and maintenance required as you configure it for all the devices on your specific network. Remember your security is only going to be as good as your configuration of your firewall. If you open it up to the point your family doesnt have to ask for an exclusion then there really isnt a point in running a firewall if everything is open, totally defeats the purpose.

I spent months fine tuning my pfsense box after the initial installation, i almost never touch it now unless im adding something new to the network, it can go months with me never touching it, but at the start it required some configuration to get everything working the way i wanted and get all the packages i wanted setup(im running a dozen or so packages for various tasks).

So if your network stays the same, then pfsense can be fairly maintenance free, but you do need to put in time initially to get it properly configured.
 

silekonn

Junior Member
Mar 15, 2010
8
0
66
I am comfortable spending the first few weeks fine tuning. Much of the hacking and internet crime comes from Russia and China. I know one of the basic advantages to prosumer and better routers is geographical firewalling (termed geoblock or geofencing?).

I like the looks of the Netgate. Anyone favor a comparable Sophos device(s)? The connection here is a minimum 200Mbps/10 now and they offer up to 1Gbps/25. Is that realistic for models in this price range? Thank you for all of your contributions.
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,101
126
pfSense if not for faint of heart. Netgate is the company who developed pfSense.

Setup a pfSense PC or a virtual machine to test it out before you make the commitment.

If you are not hosting email or web servers at home, or send / receive emails using email client instead of using web email, I really don't see the purpose spending the extra money for the features you probably don't need.
 
Last edited:

sdifox

No Lifer
Sep 30, 2005
94,999
15,122
126
pfSense if not for faint of heart. Netgate is the company who developed pfSense.

Setup a pfSense PC or a virtual machine to test it out before you make the commitment.

If you are not hosting email or web servers at home, or send / receive emails using email client instead of using web email, I really don't see the purpose spending the extra money for the features you probably don't need.

Pfsense with pfblockerng is probably all he needs. If vpning and expecting high throughput of course he would need beefier hardware.
 

silekonn

Junior Member
Mar 15, 2010
8
0
66
After VM'ing pfSense it is clear that is not the solution. The lack of GUI results in no option to assist someone else in correcting an issue. Are Sophos devices CLI?
 

sdifox

No Lifer
Sep 30, 2005
94,999
15,122
126
After VM'ing pfSense it is clear that is not the solution. The lack of GUI results in no option to assist someone else in correcting an issue. Are Sophos devices CLI?


Huh? It has a gui. The init does happen in a text prompt mode.

Since you have access to a vm hhost, what you can do is configure pfsense for someone in a vm, then send them the config you saved. All they have to do is install, go through initial setup then load config.

I don't bother to try to fix pfsense when I break it. I just load previous working config :)

But definitely try sophos as well.
 
Last edited:

silekonn

Junior Member
Mar 15, 2010
8
0
66
Figured it out. I followed directions for using it with VMs. It required configuring internal network and another VM accessed pfSense. Working on it now. Does Sophos have a downloadable OS/demo?