Pro grade firewalls for home lab?
643 views
Skip to first unread message
Hyrum Mills
Mar 25, 2021, 12:28:22 AM3/25/21
to UtahSec
I'm looking for a reasonable and reliable source to buy low-end professional grade security tools for a home lab environment. I want to buy a hardware firewall (yes, I know, I can do a VM in a lab, but I want the real thing.) The Sophos 115w I bought a few months ago is trash; you can configure it the same way as many times as you like and it'll operate differently each time - there's no consistency, and Sophos has mucked up the community boards so bad they're useless for troubleshooting. Anybody have a good source for a legit secondhand Palo Alto lab unit and license? I'm looking for something that can get close to my home gigabit connection throughput, although I imagine I'll have to settle for less due to cost. Checkpoint could work, too, or maybe Fortinet, but the idea is to get more practice with a pro grade system so I'm trying to focus on those.
Hyrum
Mike Weaver
Mar 25, 2021, 2:16:12 AM3/25/21
to Hyrum Mills, UtahSec
I know this isn't what you want to hear, but I don't think you'll find what you want at a reasonable price. I think your best route would be getting an OPNSense firewall setup with the Sensei plugin for NextGenFW features. This will get you network inspection all the way to Layer 7. It's free to try, so it doesn't hurt to check it out.
On Wed, Mar 24, 2021 at 10:28 PM Hyrum Mills <hy...@utahcyber.org> wrote:
I'm looking for a reasonable and reliable source to buy low-end professional grade security tools for a home lab environment. I want to buy a hardware firewall (yes, I know, I can do a VM in a lab, but I want the real thing.) The Sophos 115w I bought a few months ago is trash; you can configure it the same way as many times as you like and it'll operate differently each time - there's no consistency, and Sophos has mucked up the community boards so bad they're useless for troubleshooting. Anybody have a good source for a legit secondhand Palo Alto lab unit and license? I'm looking for something that can get close to my home gigabit connection throughput, although I imagine I'll have to settle for less due to cost. Checkpoint could work, too, or maybe Fortinet, but the idea is to get more practice with a pro grade system so I'm trying to focus on those.Hyrum
--
You received this message because you are subscribed to the Google Groups "UtahSec" group.
To unsubscribe from this group and stop receiving emails from it, send an email to utahsec+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/utahsec/CADAcr162Rk6_V%2BDJjuv2RWhgkusytjmKnEvx0iHZJWk3rLPZhg%40mail.gmail.com.
dean...@gmail.com
Mar 25, 2021, 7:55:40 AM3/25/21
to Hyrum Mills, UtahSec
I run a Fortigate 60E and while expensive for support, it performs well.
Sincerely,
Dean Sapp, MSISM, CISSP, CIPP/US, CISA
Chief Information Security Officer
IT Security Matters, LLC
On Mar 24, 2021, at 10:28 PM, Hyrum Mills <hy...@utahcyber.org> wrote:
I'm looking for a reasonable and reliable source to buy low-end professional grade security tools for a home lab environment. I want to buy a hardware firewall (yes, I know, I can do a VM in a lab, but I want the real thing.) The Sophos 115w I bought a few months ago is trash; you can configure it the same way as many times as you like and it'll operate differently each time - there's no consistency, and Sophos has mucked up the community boards so bad they're useless for troubleshooting. Anybody have a good source for a legit secondhand Palo Alto lab unit and license? I'm looking for something that can get close to my home gigabit connection throughput, although I imagine I'll have to settle for less due to cost. Checkpoint could work, too, or maybe Fortinet, but the idea is to get more practice with a pro grade system so I'm trying to focus on those.Hyrum
--
Alex Wardle
Mar 25, 2021, 11:51:48 AM3/25/21
to dean...@gmail.com, Hyrum Mills, UtahSec
+1 for OPNsense. I run it bare metal on an older poweredge r210 ii and it handles gigabit no problem.
Otherwise, try checking out WatchGuard. They have the best price per Gb of throughput, and it’s a full-featured enterprise firewall. An m200 will handle gigabit no problem and should be around $200 used.
To view this discussion on the web visit https://groups.google.com/d/msgid/utahsec/C81CEA40-2976-49D0-B73E-329F9F0FEA3E%40gmail.com.
Jon B. Bushey
Mar 25, 2021, 12:02:15 PM3/25/21
to Alex Wardle, dean...@gmail.com, Hyrum Mills, UtahSec
Hyrum,
Sorry to hear that you had issues with Sophos. I run the free home version of Sophos UTM and it is working well for me. I have run it for several years. I bought a small all in one computer rather than running it on an old machine - ProtectLi VAULT 4.
Jon
To view this discussion on the web visit https://groups.google.com/d/msgid/utahsec/CAFmKnq0xT_K8jYCiGiS7WVqp7CUJjT2O3WN2mBZi6hXYXn%3DzHA%40mail.gmail.com.
hy...@utahcyber.org
Mar 25, 2021, 1:44:43 PM3/25/21
to UtahSec
It looks like all the UTM stuff went end-of-life in June of 2018; that's how I ended up with a XG box instead. It's too bad; I've heard the UTM was more capable and reliable but they shut it down anyway.
David Krum
Mar 25, 2021, 7:15:26 PM3/25/21
to UtahSec
I'd take a look at Ubiquiti.
You may or may not consider these pro-grade, but they're very affordable. I'd put their performance on par with Sophos.
Their EdgeRouter X is only $60 and no licensing. If you need more performance, you can easily move up from there.
They also have their UniFi line. I'd start with the Dream Machine, which has much better IDS/IPS.
(Long)Wind:
I set up 10 ER-X routers to all NAT and still got 900Mbits through them (IPS off) for kicks.
Funny thing...before I thought of the speed test, I did a flood ping and missed the IP by one digit.
It only ran for a minute when I realized they went out the Internet gateway.
My ISP (SFCN) called me the next day, upset that I was "attacking their core" :)
I now blackhole route Private IPs at my edge (not sure why they don't).
Soapbox:
When Sophos XG came out, they promised a tool to convert SG config to XG, and it still doesn't exist (5 years later).
Spence Flandro
Mar 25, 2021, 7:59:04 PM3/25/21
to UtahSec
I've been running a PaloAlto PA220 for the past couple of years at home, but before that, I was on a Sophos UTM (Home Edition). The UTM had some quirks, but overall, performed better than my PA220 with all the features enabled.
I haven't kept up on what is going on with the Sophos UTM, but I don't see anything indicating the home edition is EOL.
9.705 was released in September 2020. https://community.sophos.com/utm-firewall/b/blog/posts/utm-up2date-9-705-released
I might be missing something though.
I'd double check on the status of the home edition of Sophos UTM.
I haven't kept up on what is going on with the Sophos UTM, but I don't see anything indicating the home edition is EOL.
9.705 was released in September 2020. https://community.sophos.com/utm-firewall/b/blog/posts/utm-up2date-9-705-released
I might be missing something though.
I'd double check on the status of the home edition of Sophos UTM.
There are quite a few commercial grade open source firewalls out there if you are willing to supply the hardware (or VM). Now I need to go look OPNsense. Before using Sophos UTM I was using pfSense. Sounds related....
Good luck with the quest.
Good luck with the quest.
On Thursday, March 25, 2021 at 11:44:43 AM UTC-6 hy...@utahcyber.org wrote:
hy...@utahcyber.org
Mar 26, 2021, 9:38:19 PM3/26/21
to UtahSec
To be fair to Sophos, I gave it one more try and was able to get it up and running again. I just had to tell it not to start off with any protections whatsoever, and incrementally add things from there... (crossing fingers, toes, etc.)
Reply all
Reply to author
Forward
0 new messages