Nice! Please report your findings. I did not find anything on their homepage, regarding if you could buy modules separately or what money we are talking about for subscriptions? /E
If it helps, my alternative to a home hardware-based UTM or a hardware-based NGFW is OpenDNS Prosumer combined with McAfee SaaS Web Protection. I've done a fair amount of searching and trialing, and centered on this combination for goodness of security at a reasonable price without the complexity (for me) of adding and maintaining yet another piece of hardware to the home. OpenDNS Prosumer ($20 per year for 3 devices, or, $6.67 per year per device) protects against malware communications at the DNS level. The Prosumer subscription requires installation of client software, so it can only be used for PCs, Macs, and iOS devices, which are the majority of my devices. Android is not yet covered. OpenDNS Umbrella, for corporations, provides protection for an entire IP address, but at $50 per year with a minimum of 10 licenses this makes the cost higher than what I was willing to bear. For me, 3 licenses cover our 8 devices that can be covered. I do wish I could cover our security camera, Roku, Obihai phone,...., but this for us was a compelling compromise at a compelling price. One great feature of OpenDNS is that all ports are covered. McAfee SaaS Web Protection ($32 per device per year, 5 device minimum) is a proxy-based service running internet traffic through McAfee's web gateway. There are a couple of tests available for this service: See their website and see http://threatcenter.crdf.fr/?Stats (McAfee-GW-Edition) as well as Virus Bulletin. Any device with a browser can be set up to proxy traffic through McAfee's gateway. I'm choosing to cover only those devices that might access financial and sensitive accounts, so our cost for this is the $160 minimum cost. In one independent study, McAfee Gateway's blocking rate was comparable to Fortigate. Both services are set up for aggressive screening. They have mostly blocked advertising sites most likely from call-outs on loaded pages, and most of those sites are either not malicious or are not definitively malicious. Both services have blocked clearly malicious sites and clearly malicious advertising. It is impossible to know what they have not blocked that they should have. Our endpoints have Bitdefender Total Security (no problems so far, am aware of the issues raised on this forum), Malwarebytes Anti-Exploit Premium, and the Invincea FreeSpace browser or Sandboxie, depending on the machine. The combined annual cost for of these two services (OpenDNS and McAfee SaaS Web Protection) is only slightly higher than the annual subscription cost associated with a Check Point 620 or a Fortigate 60D SMB NGFW. When I factor in the up front hardware costs of those 2 hardware options, the subscription SaaS route I've taken is significantly less. I do, however, give up the ability to cover all premises devices that I would be able to cover with a hardware solution. I'm interested in all comments and suggestions as I seek to improve our home internet security.
I can't think of anything to add to such a formidable setup. I'd like to ask you about the Invincea FreeSpace browser which I hadn't heard of before. I read this review: http://www.scmagazine.com/invincea-browser-protection/article/193229/ I understand that it runs the browser in a VM; how is that from a performance perspective? My experience with VMs is they create a significant performance hit, but perhaps the VM invincea browser runs in is pared down? Also, how can the browser communicate with the rest of the system? The critical issue with sandbox technology is how to allow access to the host OS, for instance so that downloaded files can be installed on the host. The reviewer states that: "The guest communicates through and with the host only under very controlled conditions" and then fails to explain how this works. At $60/year/PC why not just run a browser in a VM in Virtual Box?
Untangle Free isn't very good. 1) The IPS is effectively useless. 11.1 is in beta now with a new IPS system, until then it's broken. Don't plan on Untangle IPS doing much. 2) ClamAV comes with free one.. It's... Acceptable but that's about it. 3) Web Filter Lite is garbage. Only good point is - it's easy, looks nice, and works, and provides SOME AV scanning, and a good adblocker at the gateway. The PAID version is vastly superior with HTTPS inspection, Bit Defender+ClamAV, and a very potent Web Filter. $50 a month for a home user is steep on the paid one for most consumers. I pay it because I want the power that the paid one comes with. Would I run Untangle Free? Possibly but only AFTER 11.1 comes out, and adds a working IPS.
On the Invincea FreeSpace questions: Performance is very good, IMO. When browsing from page to page, I do not notice any slow-down. There is a delay starting the browser: about 1/2 to 1 second for a newer PC, about 2 seconds for an older PC. For me, the protection is well worth that level of delay. It is easy to download files. There is a very simple interface where the user can enable or download files. Choices are to "Block unsafe file extensions from downloading" which covers .exe files, as well as "Block executable files that are not digitally signed". If I want to download an installation file, I simply uncheck the first option and re-check it when I am finished. I could run a browser in VM mode, but I've never used VM. My personal preference is to buy capability if it is "cheap enough" rather than piece together a less costly solution. I got 2 years of Invincea FreeSpace for 1/2 price ($50 per year * 1/2) as I had a difficult installation and Invincea offered an extra year for free for the trouble encountered. They were very good to work with. I'm a BIG fan of FreeSpace. I also have Sandboxie Free but prefer FreeSpace because it is much simpler OOTB. I put FreeSpace on PC's that the adults use day-to-day and Sandboxie Free on everything else. FreeSpace is bundled with Dell business computers: Latitude and Precision are among the business lines. 1 year free + 5 years at $17 per year. I recently purchased a new Precision and bought 5 years for $85. Well worth it at that price. For me, the low cost bundling of FreeSpace was a major consideration in which laptop to choose, if all other things were equal. Hope this helps.
Thanks for the additional information. I'm planning to get a laptop this summer, possibly from Dell, so I'll keep FreeSpace in mind. I can well relate to paying for straightforward solutions instead of piecing together something just to save a few $$. I can get away with that on my home system, but with larger households/small business that can quickly get out of hand.
IDS in PF is Snort, and it's quite good. However Untangle has a new IPS/IDS in the pipe for release soon. I am considering options to abandon Untangle, but I find the granular capabilities, and web filter to be quite exceptional, so I haven't moved away yet. ITUS Guardian looks great, I may order one, toss it in bridge mode from the modem, then use ASUS RT-87 from that. Giving me a NGFW on bridge, and a Layer 5 as the main.
Going to try installing pfSense on my dad's VMware ESXi server. Is this a good guide for it?: https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5 The LiveCD wouldn't even boot... Trying IPFire next. *Never mind, I forgot you need to connect it at power on... Anyways, here is a more newbie-friendly guide: https://calvin.me/part-1-install-pfsense-on-esxi-5-5/
Nobody? Well since I failed, and thought it would be too power-hungry and loud, I'm going to buy a Raspberry Pi Model B. It should be far easier as a WiFi access point with an USB adapter. Going to try out IPFire on it. *Actually, screw it. I'll try getting the MacBook or iMac I've been desiring instead and use it for that lol.
It is a great dist, just a pity that they never implement a decent AV in it, the firewall is superb! /E
I built a Pfsense box this weekend. Impressive but VERY problematic! The main issue is it's too aggressive, and I would need to spend DAYS programming in bypasses for all of the stuff on my network. It reminded me of Sophos UTM, I couldn't get that to work with a ton of stuff in my home, even with very extensive rules/policies. Pfsense was a huge hassle, even blocking games like War Thunder - a known issue with a lot of games. Also my VOIP PBX was blocked, I have it to open a OpenVPN encrypted session every phone call I make, and Pfsense wanted nothing to do with that! Based on what I have read, Pfsense having these issues is very common, and requires extensive work, and often doesn't work correctly in the home environment as a result. Ultimately I went back to Untangle, and will await their upgraded IPS due at some point this spring. I MAY try Pfsense again on a spare machine, but given how much stuff failed to work when it went live, I don't think I can justify the time/effort to figure it out. Keeping in mind it blocked all of this by 'default', without Squid, Snort, or anything - out of the box it killed half my network! I think it some situations it would be amazing, like small homes without much going on, and businesses where gaming and other things don't take place.
Did you try Endian yet? I did run it a couple of years ago after my first run into IPCop, witch by the way I did use as a cache server for all Windows, Mac and Linux updates etc, This was a great feature if you had +10 users and a crappy internet connection, you had to use a plugin for the proxy to make it work. I think I had over 60GB of windows updates on there in the end. It is a pleasure to see winnows update run at gigabit speeds Anyways, I think Endian is born from IPCop in the beginning, many similarities, different colors. It is anyway much easier to setup then Pfsense... /E
The new version squid 3 and squid guard work great. Squid3 has clam built in. This helped me. https://forum.pfsense.org/index.php?topic=87424.msg480232#msg480232 As for being buggy. It can be but my experience has been great.
I built an Endian machine for testing last night. Endian is VASTLY better than Pfsense in my experience (limited) with it. However it still leaves something to be desired in the bug department. For example after I got things up and running I tried to enable the HTTP proxy, that enabled. Then I plugged in the AV and WebFiltration. They wouldn't scan HTTP traffic. I restarted the daemon, rebooted, turned on and off various settings, and it still wouldn't properly scan traffic. I'm no dummy when it comes to UTM's and Firewalls, and rarely need documentation. But in this case I referred to their documentation, and it still didn't work. This is one of the reasons I keep going back to Untangle - it WORKS - out of the box without any hassle, without any tweaks. Build a box, fire it up, plug it in, and out of the box it's 100% functional. Turn on/off features as you want, and they all work as expected. Also Endian doesn't support iBlocklist, a major downside, while Pfsense supports it. (untangle doesn't either) The 'Distro' market is pretty mickey mouse. I've never liked distros because the QC is pretty low on them. I respect Untangle in that they took what was essentially a mess, and made it into a stable, deployable solution for any environment. Similar to how the Linux Distro market was a mess until Ubuntu came in and made it a serious, reliable, deployable solution. So I walk away disappointed in most of these distros, while Untangle is 100% reliable, exceedingly fast, and stable on my network.. I just hate the $50 a month I spend on it for all of the advanced features!
It's frustrating to never find the 'perfect' solution. I'm a perfectionist, and always feel like there should be a perfect solution, that 'good enough' is never enough. I am very appreciative when I do find solutions that by all intents and purposes, and opinions - is perfect. I find it remarkable, and at times annoying how quickly I can find bugs/quirks in almost everything. My thought is 'nobody saw this?!?' when I do. For example how can Fortinet deploy millions of WAPS, and it isn't until 3 months ago when I report it that they discover a password length limitation on the WAP's of 8 characters, and anything over 8 requires a factory reset if you enter it? How does that happen? Untangle is almost perfect except it can't do iBlocklist without paying for it via Untangle, and it has a hideous IPS. But apparently true Snort is in Beta for it so that's one of my last frustrations alleviated. The fee for Untangle should be lower for consumers, but they seem to want to keep consumers away from the product (support reasons?), despite it being so easy to setup and use. I suppose $600 a year isn't that much for piece of mind, and I could also run Untangle in free-mode, but I would be losing some of the best features. Ultimately my goal is to find something as stable, reliable, and bug free as Untangle - that I don't have to pay for, or at least - pay so much for. So far none of the free/cheap solutions I have tried comes close..
Don't take this as an offense, but It looks like your problems with pfsense are more related with your knowledge about how to configure it or about networks rules rather than with bugs. With any other l2-3 firewall you will find the same issues unless you don't configure it properly. BTW this is how any normal firewall works, it blocks everything unless you specify what shouldn't be blocked, although I think it has a less secure mode where it works the other way around. The issues with games are usually related when these act as a server to play online, you have to know which ports are used by the game and open them. Pfsense is pretty solid and stable and its widely used by many huge private companies as a layer 2-3 firewall. It's surprising for me what you have said about probably the best free firewall out there. I don't fully agree with this but is a good start http://forums.untangle.com/networking/33923-pfsense-untangle.html#post187254 You can get most if not all the UTM features in pfsense but some of them doesn't come out of the box. And if you are setting this up for "home" use a layer 7 firewall (application control) won't be very useful but maybe you need the other UTM features. Anyway I can understand your "frustration" since sometimes to setup and configure pfsense can be a real pain.
Keep in mind I am engineer certified for Layer 7 by 3 firms. I understand rules and policies, LAN egress blocking by default on these distros, etc. I also understand that these are buggy, self supported home brews with reliance on CLI tire kicking to make them work properly. I think I will stick to professional solutions to be honest. It was an 'interesting' experience, not unlike my go around with buggy Linux distro's a few years ago with the final realization that Windows worked better than all of them.
Really no offense, but I had very good references of pfsense, and as I said even in the private sector so your post was a little bit surprising for me.
I haven't given up yet. If I can punch my PBX VPN through, and get my security server stabilized, and work around some of the bugs, I'd give it another go. I'm persistent to the point of being ridiculous at times.
That sounds familiar xD about PBX I think you will find more help in the pfsense forums rather than here.
