NGFW + VPN as a service

Discussion in 'other firewalls' started by JLD, Jan 30, 2015.

  1. JLD

    JLD Guest

    I ran across Palo Alto Networks' GlobalProtect service, https://www.paloaltonetworks.com/products/technologies/globalprotect.html which appears to be a NGFW + VPN for mobile devices for corporate users.

    Would anyone in this forum know of a NGFW + VPN service for consumers?

    I am new to this forum. I'm contemplating a UTM-type of device for my home network. I've been reading through this forum extensively, and it has been very helpful. Thank you all for that. I'm considering either a Zyxel USG60 with Kaspersky subscription, or the yet-to-be-launched Bitdefender Box, or Itus Shield to use with an Asus RT-AC87U router. I like the thought of a NGFW + VPN service vs buying and maintaining yet another piece of hardware.

    Any guidance you can provide would be greatly appreciated. Thank you.
     
    Last edited by a moderator: Jan 30, 2015
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Bit Defender box is underpowered, and only 10/100 capable, and has yet to be tested/reviewed by independent IT professionals. Palo Alto GP appears to be a hosted solution. You could also run a Fortigate Appliance, then run your devices through Forticlient (VPN ONLY) installation. Then all of your connections pass through YOUR UTM at home, regardless of where you are via a VPN, and benefit from IPS, Antivirus, and URL scanning on the Fortigate appliance. You essentially create your own worldwide, secure VPN for anywhere you are. You could even run the Forticlient licensed for an endpoint solution combined with the VPN tie in to the Fortigate for a complete, bulletproof solution.

    Itus Shield is interesting sounding, but the data seems very very limited. They mention Snort, but what about AV? If it's ClamAV, then it's really not acceptable. Untangle licensed is good, but has tremendous limitations. For one Untangle uses the mediocre Bit Defender UTM, and ClamAV, both are actually pretty anemic in the gateway market. Untangles Adblocker doesn't autoupdate anymore, and is again mediocre.. Untangle uses a very very basic, non-updating SNORT IPS because Untangle in their arrogance feel IPS is a 'waste'. So I view Untangle as merely a fairly economical 'layer' on an existing network, not a total solution. I feel the best aspects of Untangle are actually it's Web Blocker, and HTTPS Inspector.

    My ideal solution would be Fortigate on the gateway, Untangle in Bridge/Transparent, then ASUS 87U/R as a powerful WAP. Fortigate's absolutely destroy Untangle in almost every category, and that's coming from someone that is essentially an untangle engineer with a fully licensed corporate edition. (Me) It's mediocre on all fronts IMO.
     
  3. JLD

    JLD Guest

    Thanks for the insight. Some questions:

    1. How does a SMB Fortigate compare to, say, the Zyxel USG60 or USG40 in terms of protection, east of set-up and maintenance, initial cost, and annual renewal costs, in your opinion? I found the Zyxel costs on Amazon.com, but not the Fortigate. Why Fortigate over Zyxel (or vice-versa)? I have no experience with NGFWs and UTMS, so either one would likely take a significant time investment. I would like to make the right choice if I buy. Right now my broadband speed is 20 MB download, 2 upload. I might upgrade later to as high as 100 MB download, but probably not higher than that as there is no need.

    2. Which do you use: Untangle, Zyxel, or Fortigate, (and which model #), or something else, and why?

    3. Does the AC87U AiProtection not work unless it is the gateway? I thought I read that somewhere.

    4. Are you aware of any entity that offers a hosted VPN with a good 7 layer (or higher) NGFW that would license 6-8 seats at a reasonable annual rate? The reason I ask is that I'd prefer to buy a service (less work for me) rather than the equipment, if possible. It seems like there is a potential market for a SMB or SOHO hosted VPN + NGFW for more knowledgeable home users who value that level of protection, which I think will grow over time. I've left an inquiry with Freedome, and I've seen a couple of VPNs with Clam, but I've not found anything else with, say, Kaspersky AV.

    Thanks!
     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    1) Fortigate is one of the best. But setting it up can be extremely difficult if you don't have a lot of experience with them, or training. Fortigate works a bit different, and feels very odd when you try to program it. It's a powerful device, and the URL scanning is exceptional, but the real power is in the rapidly updated IPS signatures. ZyXEL is good, and easier to use, but I do not think they are as good as Fortigate in raw power. Also ZyXEL can have throughput issues, and take careful programming to overcome them.

    2) I've used them all. I have an Untangle on the gateway now because it's fast, easy, and offers a good, indepth featureset for a low price. $50 a month gives me every module the product offices, and includes all of the paid features, and AV engine updates. Also, and this is HUGE.. Throughput.. My Untangle can handle 1,000Mbps due to my NIC's in it, and I currently pipe 135-200mbps internet through it.. To get a Fortigate to support that I need to spend $975.00(wholesale) on a Fortigate 80D, and then another $500-$600 a year to after the first year to keep the UTM bundle updated. ZyXEL I would need the USG210, and $300 a year to keep the bundle updated. It comes down to what I am willing to spend, and the features I want.

    3) AC87's don't work unless they are on the gateway - plain and simple. There are bugs with it in bridge mode, it enforces DHCP even with DHCP server OFF. If you turn it into AP mode, it disables AiProtection entirely.

    4) Not sure on services. Hosted is great. My company hosts them on our COLO with powerful Fortigates. But we only do it for corporations and wealthy individuals, and it's prohibitively expensive for consumers. So I would have to research this, as I cannot offer any advice right now on the consumer end.

    For your low bandwidth you could use a Fortigate 60D, then utilize Fortinet support to help you set it up. I setup on average, a dozen Fortigates a week, it's easy, but it took me a full year of constant practice and study to get 'comfortable' with Fortinet. I'm also in their NSE engineering program. It was a nightmare dealing with Fortigates at first. So unless you are prepared for the work - skip it. But if you want enterprise grade, amazing protection - put the time into it. ZyXEL USG60 is strong enough for you, and cheap ($400?), and $150 a year for the UTM bundle. MUCH easier to setup. You have more options than me simply because you aren't running broadband. My highspeed limits what I am willing to pay for.

    ~ Removed URL ~

    Untangle is anemic in a lot of ways.. I disagree entirely with their doctrine of 'NAT NAT NAT'. The fact they haven't updated IPS signatures in a year tells me everything. So unless you are prepared for a 'mediocre' Layer7, but want something fairly low cost, Untangle is OK. Untangle fails miserable in;

    1) Refusal to allow adblocking auto-updates.
    2) Anemic Bit Defender Gateway.
    3) Incredibly Anemic ClamAV
    4) Pathetic IPS that doesn't update.

    Good? Their Web Filtration is quite good, if not amazing. Their configuration is fantastic, and the price is very reasonable.
     
    Last edited by a moderator: Jan 31, 2015
  5. JLD

    JLD Guest

    Much appreciated:)

    Looking around today, I came across "ZScaler for SMB" and LiquidVPN which offers IPS (unknown quality, inquiry pending) for their VPN. The ZScaler for SMB solution seems to be pure SaaS, and the only test I could find (not sure how independent it is) seems to compare them favorably to FireEye. Not fully the same coverage as a NGFW (ZScaler would cover Windows, Android, and possibly iOS devices, but not devices that cannot access the internet through a browser, so seemingly not security cameras, printers, Roku, and internet phones like Obihai), but ZScaler is possibly close enough for my needs, which focus more on internet-enabled devices.

    I especially liked what I could understand about the ZScaler approach. I sent an inquiry into ZScaler to learn more. Any knowledge of or thoughts about those ZScaler and LiquidVPN?
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    SaaS, you can setup your own SaaS pretty easily. Untangle w/IPSEC or OpenVPN would do it, same with ZyXEL or Fortigate.