firewall recommendations

[Rudi Ahlers]

Hi Guys, 

I hope someone can give me some insight on this. One of our clients have a Telkom MetroLN VPN to 5 of their branches, which will soon be replaced with Fiber connectivity. As such, the branches internet will be open. All the branches currently connect to a SAP server in Germany, via another VPN, and then also some servers in JHB via the VPN. 

I already have a MikroTik in HQ for routing everything and there's a Cisco Meraki firewall on the Germany VPN, which is managed by the German provider. I am not a Cisco engineer and never worked on one. But The Merkai demo seems fairly eary to use. And I do know some routing and have worked on MikroTik, Ubiquity, FreeBSD and Linux firewalls in the past. I have also worked on Cyberoam firewalls, which has now been acquired by Sophos.

The Cyberoam firewalls have Level 8 (user) filtering which is very nice. 

As an alternative, I see Kerio firewall does the same. But the client is not prepared to pay this price. 

So what alternatives do I have? Some options I have been considering are PFSense, Untangle, Endian Firewall, Smoothwall (have used this in the past), etc installed on an enterprise grade server like SuperMicro / HP / Dell (??) / Intel / etc?

Requirements:

- To security the network from the outside, and inside unknown threads

- To offer inter-branch VPN, compatible with a MikroTik at HQ

- To offer at least Layer 8 firewalling, i.e. block Facebook / Youtube / etc from certain employees, and throttle stuff like Windows / Android / IOS updates. 

- Monitor network / bandwidth usage, both on the WAN (+ backup) and for individual users.

- WAN failover from the Fiber line to LTE (An LTE router would be fine). VRRP is probably not needed. 

- VOIP passthrough / QOS

There is no proxy, and possibly no need for it. Nor is there a Windows Active Directory / Kerberos / LDAP server. I don't think this is needed at this stage either. They do use SAMBA though. 

--

Kind Regards
Rudi Ahlers
Website: http://www.rudiahlers.co.za

[Andrew Turpin]

Hi Rudi,

  Who is going to support these firewalls?  We ended up choosing Cyberoam because our Windows-only IT Ops staff did not have the skill/experience to handle anything less end-user friendly... even though it cost(s) an arm and a leg... and is possibly not better than the FOSS alternatives.

Kind regards,

Andrew Turpin

--
--
You received this message because you are subscribed to the Google
Groups "house4hack" group.
To post to this group, send email to house...@googlegroups.com
To unsubscribe from this group, send email to
house4hack+...@googlegroups.com
---------------------------------------------------------------------------------------------
www.house4hack.co.za | Centurion Tue 18-21 & Sat 9-14 | Randburg Wed 18-21
---------------------------------------------------------------------------------------------
---
You received this message because you are subscribed to the Google Groups "house4hack" group.
To unsubscribe from this group and stop receiving emails from it, send an email to house4hack+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rudi Ahlers]

Hi Andrew, 

I am a sysadmin and the other guys are all Linux devs, so between us we'll make it work ;) I am personally comfortable with anything Linux based. 

And I would prefer the Cyberoam's but don't know if I like the Sophos merger much. Sophos in itself isn't my favourite. Kerios is quite a bit more expensive than Cyberoam with the same features (layer 8 filtering). The Cisco Meraki is inbetween the two, looks nice, but feel a bit "next level" for me. 

house4hack+unsubscribe@googlegroups.com

---------------------------------------------------------------------------------------------
www.house4hack.co.za | Centurion Tue 18-21 & Sat 9-14 | Randburg Wed 18-21
---------------------------------------------------------------------------------------------
---
You received this message because you are subscribed to the Google Groups "house4hack" group.

To unsubscribe from this group and stop receiving emails from it, send an email to house4hack+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

--
You received this message because you are subscribed to the Google
Groups "house4hack" group.
To post to this group, send email to house...@googlegroups.com
To unsubscribe from this group, send email to

house4hack+unsubscribe@googlegroups.com

---------------------------------------------------------------------------------------------
www.house4hack.co.za | Centurion Tue 18-21 & Sat 9-14 | Randburg Wed 18-21
---------------------------------------------------------------------------------------------
---
You received this message because you are subscribed to the Google Groups "house4hack" group.

To unsubscribe from this group and stop receiving emails from it, send an email to house4hack+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Dieter Rosch]

I love pfSense, and it has everything you are asking for. But I am not a SecOp - this might help you decide:

https://en.m.wikipedia.org/wiki/Comparison_of_firewalls

I run mine at home in a VM on UnRaid, with a 4 port PCI-e NIC dedicated to it so that there is no chance of traffic sniffing a shared virtual NIC. 

Sent from my iPhone

house4hack+...@googlegroups.com

---------------------------------------------------------------------------------------------
www.house4hack.co.za | Centurion Tue 18-21 & Sat 9-14 | Randburg Wed 18-21
---------------------------------------------------------------------------------------------
---
You received this message because you are subscribed to the Google Groups "house4hack" group.

To unsubscribe from this group and stop receiving emails from it, send an email to house4hack+...@googlegroups.com.

[Andrew Turpin]

so I see that wiki does not include: https://opnsense.org/ in its comparison ...anybody tried OPNSense ?

[Rudi Ahlers]

mmm, OPNSense seems nice

[Dieter Rosch]

OPNSense is a fork of pfSense. Mostly because of in-fighting, i.e. no technical reason IMO.

If you are planning to run on older hardware OPNSense *might* be better as pfSense is starting to require crypto instruction sets, but TBH all modern CPU's have it, and you need a bit more beef these days in your firewalls due to the more complex encryption/decryption and defense systems.

Personally I will stick with pfSense, since I trust it and I like it. Not to say OPNSense isn't trustworthy, I just don't see any need to look for anything different, pfSense really does everything I need, and it works really well for me.

[Rudi Ahlers]

Has anyone played with the Ubiquity Security Gateways? Are they any good?