subject:"sub $500\-750 CPE firewall for voip\-centric application"

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-09 Thread Greg Sowell

+1 for mikrotik,  been solid cpe for ages.
I know a lot of msps using fortigates also.
On May 8, 2016 11:43 AM, "Eygene Ryabinkin"  wrote:

> Fri, May 06, 2016 at 09:51:15PM +0200, Mark Tinka wrote:
> > On 6/May/16 21:40, Josh Reynolds wrote:
> > > I've been very happy with the 2.3 release. Modularizing everything and
> the
> > > new bootstrap GUI is very nice. Updated BSD code base is a godsend.
> >
> > I was just about to ask the experienced coders whether the new GUI in
> > 2.3 fixes a lot of problems of the past...
> >
> > And yes, 2.3 is running FreeBSD 10.3.
>
> Just use FreeBSD without pfSense stuff -- it is easier ;)) Modulo the
> absence of the network-based installation for FreeBSD via PXE [1] out
> of the box (well, it is doable, but I'd prefer to have an easier way
> and Linuxen have that), so large-scale stuff is a bit tough.  Was
> discussed several times in FBSD lists, big players have their own
> homegrown stuff from the early days of the universe, others are either
> not doing that or relying on the existing recipes.  And there are not
> sufficient others of the big $SCALE :(
>
> 
> [1] Something I'm trying to find the time for the past 5-6 years,
> should finally do that.
> 
> --
> Eygene Ryabinkin, National Research Centre "Kurchatov Institute"
>
> Always code as if the guy who ends up maintaining your code will be
> a violent psychopath who knows where you live.
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-08 Thread Eygene Ryabinkin

Fri, May 06, 2016 at 09:51:15PM +0200, Mark Tinka wrote:
> On 6/May/16 21:40, Josh Reynolds wrote:
> > I've been very happy with the 2.3 release. Modularizing everything and the
> > new bootstrap GUI is very nice. Updated BSD code base is a godsend.
> 
> I was just about to ask the experienced coders whether the new GUI in
> 2.3 fixes a lot of problems of the past...
> 
> And yes, 2.3 is running FreeBSD 10.3.

Just use FreeBSD without pfSense stuff -- it is easier ;)) Modulo the
absence of the network-based installation for FreeBSD via PXE [1] out
of the box (well, it is doable, but I'd prefer to have an easier way
and Linuxen have that), so large-scale stuff is a bit tough.  Was
discussed several times in FBSD lists, big players have their own
homegrown stuff from the early days of the universe, others are either
not doing that or relying on the existing recipes.  And there are not
sufficient others of the big $SCALE :(

[1] Something I'm trying to find the time for the past 5-6 years,
should finally do that.

-- 
Eygene Ryabinkin, National Research Centre "Kurchatov Institute"

Always code as if the guy who ends up maintaining your code will be
a violent psychopath who knows where you live.

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Keith Stokes

PCI certification at the business level isn’t about whether your firewall 
vendor has gone through an audit and paid someone.

You can build your own firewall if you wish and it must meet all of the 
necessary requirements. So will a commercial firewall, because it’s certainly 
possible to configure anyone’s firewall in an insecure manner.

In fact, my name brand expensive firewall automatically fails the regular 
security scans because it answers ISAKMP. When asked, and it took awhile to get 
the truth, the answer was “We automatically flag because ISAMKP can be 
configured insecurely, so we automatically flag.” Showing my config wasn’t 
insecure got me a green light.

On May 6, 2016, at 1:45 PM, amuse 
> wrote:

Don't forget ponying up the fees and charges for paying the auditors - which is 
why most OSS projects don't end up going through them.

On Fri, May 6, 2016 at 11:41 AM, Keith Stokes 
> wrote:
I've been told by various PCI auditors that a noncommercial/FOSS firewall could 
pass as long as you have implemented the necessary controls such as 
encryption/logging/management and passing actual testing.

--

Keith Stokes

> On May 6, 2016, at 1:31 PM, Mel Beckman 
> > wrote:
>
> The question of code quality is always a difficult one, since in FOSS it’s 
> public and often found lacking, but in private source you may never know. In 
> these cases I rely on the vendor’s public statements about their development 
> processes and certifications (e.g., ICSA). Commercial products often disclose 
> their development processes and even run in-house security threat research 
> groups that publish to the community.
>
> There are also outside certifications. For example, 
> www.icsalabs.com>
>  lists certifications by vendor for those that have passed their test 
> regimen, and both Dell SonicWall and Fortinet Fortigate are shown to be 
> current. PFSense isn’t listed, and although it is theoretically vetted by 
> many users, there is no guarantee of recency or thoroughness of the test 
> regimen.
>
> This brings up the question of whether PFSense can meet regulatory 
> requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory 
> organizations don’t require specific overall firewall certifications, they do 
> require various specific standards, such as encryption strength, logging, VPN 
> timeouts, etc. I don’t know if PFsense meets these requirements, as they 
> don’t say so on their site. Companies like Dell publish white papers on their 
> compliance with each regulatory organization.
>
> -mel
>
>
> On May 6, 2016, at 11:05 AM, Aris Lambrianidis 
> >>
>  wrote:
>
> amuse wrote:
> One question I have is:  Is there any reason to believe that the source
> code for Sonicwall, Cisco, etc are any better than the PFSense code?  Or
> are we just able to see the PFSense code and make unfounded assumptions
> that the commercial code is in better shape?
> Perhaps not. In fact, probably not, judging by the apparent lack of
> audit processes for say,
> OpenSSL libraries re-used in commercial products.
>
> It still doesn't detract from the value  of what people are aware of, in
> this case,
> pfSense code quality.
>
> Aris
>



---

Keith Stokes

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mark Tinka

On 6/May/16 21:40, Josh Reynolds wrote:

> I've been very happy with the 2.3 release. Modularizing everything and the
> new bootstrap GUI is very nice. Updated BSD code base is a godsend.

I was just about to ask the experienced coders whether the new GUI in
2.3 fixes a lot of problems of the past...

And yes, 2.3 is running FreeBSD 10.3.

Mark.

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Josh Reynolds

I've been very happy with the 2.3 release. Modularizing everything and the
new bootstrap GUI is very nice. Updated BSD code base is a godsend.
On May 6, 2016 2:36 PM, "Aris Lambrianidis"  wrote:

> Mel Beckman wrote:
>
>> But bug reports and response can be measured, at least by those with
>> support contracts for the commercial products. I found PFSense less
>> reliable by a quite large margin than commercial offerings. Plus when I
>> have a problem, I can open a case and somebody else is working on it
>> (because I paid them to), and they usually solve the problem without a lot
>> more involvement on my part.
>>
> Valid points, my intention was to share my thoughts on certification and
> audit processes in general, and I guess in the process derail the thread a
> bit.
>
> Back to pfSense,  arguably the point you raise is even stronger than the
> "bad coding practices" one. I might even say I personally don't care much
> about coding practices as I care about support services being prompt and
> effective. The latter
> *may* actually lead to good coding practices, but not the other way around.
>
> Aris
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Aris Lambrianidis


Mel Beckman wrote:
But bug reports and response can be measured, at least by those with 
support contracts for the commercial products. I found PFSense less 
reliable by a quite large margin than commercial offerings. Plus when 
I have a problem, I can open a case and somebody else is working on it 
(because I paid them to), and they usually solve the problem without a 
lot more involvement on my part. 
Valid points, my intention was to share my thoughts on certification and 
audit processes in general, and I guess in the process derail the thread 
a bit.


Back to pfSense,  arguably the point you raise is even stronger than the 
"bad coding practices" one. I might even say I personally don't care 
much about coding practices as I care about support services being 
prompt and effective. The latter

*may* actually lead to good coding practices, but not the other way around.

Aris

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mel Beckman

But bug reports and response can be measured, at least by those with support 
contracts for the commercial products. I found PFSense less reliable by a quite 
large margin than commercial offerings. Plus when I have a problem, I can open 
a case and somebody else is working on it (because I paid them to), and they 
usually solve the problem without a lot more involvement on my part.

I tried PFSense Premium Support once when it first launched, and they simply 
didn’t have their act together. Also, the cheapest PFSense support contract 
cost nearly as much as an entire commercial firewall including hardware and a 
year support! Maybe they’ve improved. I don’t have time to research it though, 
as the commercial products are quite reasonably priced and generally superior 
in features. I’ve also looked at the PFSense appliances for sale, and they are 
not remarkable (either in price or features). I think what 
store.pfsense.org demonstrates is that the commercial 
offerings are justified in what they charge, since it’s about equal to what 
PFSense hardware costs.

Then there is the available skills problem. It’s much easier to find a Cisco, 
Dell, Juniper, or whatever-conversant tech than it is to find someone facile in 
PFSense.

It’s a valiant effort, but to me the value differential just isn’t making sense 
for PFSense.

 -mel



On May 6, 2016, at 11:50 AM, Aris Lambrianidis 
> wrote:

Mel Beckman wrote:
The question of code quality is always a difficult one, since in FOSS it’s 
public and often found lacking, but in private source you may never know. In 
these cases I rely on the vendor’s public statements about their development 
processes and certifications (e.g., ICSA). Commercial products often disclose 
their development processes and even run in-house security threat research 
groups that publish to the community.

There are also outside certifications. For example, 
www.icsalabs.com lists certifications by vendor for 
those that have passed their test regimen, and both Dell SonicWall and Fortinet 
Fortigate are shown to be current. PFSense isn’t listed, and although it is 
theoretically vetted by many users, there is no guarantee of recency or 
thoroughness of the test regimen.

This brings up the question of whether PFSense can meet regulatory requirements 
such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t 
require specific overall firewall certifications, they do require various 
specific standards, such as encryption strength, logging, VPN timeouts, etc. I 
don’t know if PFsense meets these requirements, as they don’t say so on their 
site. Companies like Dell publish white papers on their compliance with each 
regulatory organization.
It seems those certifications are not offering the assurance at least *some* 
people would expect from them, unless
of course we're talking about feeding the paper pushing beast. This is a mere 
observation on my part, principally
I'm not against them, but I seriously doubt bad coding practices happen only on 
non certified/audited code, so
I find the question of value difficult to answer in a satisfactory manner.

Random germane example: 
http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips

Aris

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Aris Lambrianidis


Mel Beckman wrote:
The question of code quality is always a difficult one, since in FOSS 
it’s public and often found lacking, but in private source you may 
never know. In these cases I rely on the vendor’s public statements 
about their development processes and certifications (e.g., ICSA). 
Commercial products often disclose their development processes and 
even run in-house security threat research groups that publish to the 
community.


There are also outside certifications. For example, www.icsalabs.com 
 lists certifications by vendor for those 
that have passed their test regimen, and both Dell SonicWall and 
Fortinet Fortigate are shown to be current. PFSense isn’t listed, and 
although it is theoretically vetted by many users, there is no 
guarantee of recency or thoroughness of the test regimen.


This brings up the question of whether PFSense can meet regulatory 
requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory 
organizations don’t require specific overall firewall certifications, 
they do require various specific standards, such as encryption 
strength, logging, VPN timeouts, etc. I don’t know if PFsense meets 
these requirements, as they don’t say so on their site. Companies like 
Dell publish white papers on their compliance with each regulatory 
organization.
It seems those certifications are not offering the assurance at least 
*some* people would expect from them, unless
of course we're talking about feeding the paper pushing beast. This is a 
mere observation on my part, principally
I'm not against them, but I seriously doubt bad coding practices happen 
only on non certified/audited code, so

I find the question of value difficult to answer in a satisfactory manner.

Random germane example: 
http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips


Aris

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread amuse

Don't forget ponying up the fees and charges for paying the auditors -
which is why most OSS projects don't end up going through them.

On Fri, May 6, 2016 at 11:41 AM, Keith Stokes  wrote:

> I've been told by various PCI auditors that a noncommercial/FOSS firewall
> could pass as long as you have implemented the necessary controls such as
> encryption/logging/management and passing actual testing.
>
> --
>
> Keith Stokes
>
> > On May 6, 2016, at 1:31 PM, Mel Beckman  wrote:
> >
> > The question of code quality is always a difficult one, since in FOSS
> it’s public and often found lacking, but in private source you may never
> know. In these cases I rely on the vendor’s public statements about their
> development processes and certifications (e.g., ICSA). Commercial products
> often disclose their development processes and even run in-house security
> threat research groups that publish to the community.
> >
> > There are also outside certifications. For example, www.icsalabs.com<
> http://www.icsalabs.com> lists certifications by vendor for those that
> have passed their test regimen, and both Dell SonicWall and Fortinet
> Fortigate are shown to be current. PFSense isn’t listed, and although it is
> theoretically vetted by many users, there is no guarantee of recency or
> thoroughness of the test regimen.
> >
> > This brings up the question of whether PFSense can meet regulatory
> requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory
> organizations don’t require specific overall firewall certifications, they
> do require various specific standards, such as encryption strength,
> logging, VPN timeouts, etc. I don’t know if PFsense meets these
> requirements, as they don’t say so on their site. Companies like Dell
> publish white papers on their compliance with each regulatory organization.
> >
> > -mel
> >
> >
> > On May 6, 2016, at 11:05 AM, Aris Lambrianidis  > wrote:
> >
> > amuse wrote:
> > One question I have is:  Is there any reason to believe that the source
> > code for Sonicwall, Cisco, etc are any better than the PFSense code?  Or
> > are we just able to see the PFSense code and make unfounded assumptions
> > that the commercial code is in better shape?
> > Perhaps not. In fact, probably not, judging by the apparent lack of
> > audit processes for say,
> > OpenSSL libraries re-used in commercial products.
> >
> > It still doesn't detract from the value  of what people are aware of, in
> > this case,
> > pfSense code quality.
> >
> > Aris
> >
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Keith Stokes

I've been told by various PCI auditors that a noncommercial/FOSS firewall could 
pass as long as you have implemented the necessary controls such as 
encryption/logging/management and passing actual testing.

--

Keith Stokes

> On May 6, 2016, at 1:31 PM, Mel Beckman  wrote:
> 
> The question of code quality is always a difficult one, since in FOSS it’s 
> public and often found lacking, but in private source you may never know. In 
> these cases I rely on the vendor’s public statements about their development 
> processes and certifications (e.g., ICSA). Commercial products often disclose 
> their development processes and even run in-house security threat research 
> groups that publish to the community.
> 
> There are also outside certifications. For example, 
> www.icsalabs.com lists certifications by vendor for 
> those that have passed their test regimen, and both Dell SonicWall and 
> Fortinet Fortigate are shown to be current. PFSense isn’t listed, and 
> although it is theoretically vetted by many users, there is no guarantee of 
> recency or thoroughness of the test regimen.
> 
> This brings up the question of whether PFSense can meet regulatory 
> requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory 
> organizations don’t require specific overall firewall certifications, they do 
> require various specific standards, such as encryption strength, logging, VPN 
> timeouts, etc. I don’t know if PFsense meets these requirements, as they 
> don’t say so on their site. Companies like Dell publish white papers on their 
> compliance with each regulatory organization.
> 
> -mel
> 
> 
> On May 6, 2016, at 11:05 AM, Aris Lambrianidis 
> > wrote:
> 
> amuse wrote:
> One question I have is:  Is there any reason to believe that the source
> code for Sonicwall, Cisco, etc are any better than the PFSense code?  Or
> are we just able to see the PFSense code and make unfounded assumptions
> that the commercial code is in better shape?
> Perhaps not. In fact, probably not, judging by the apparent lack of
> audit processes for say,
> OpenSSL libraries re-used in commercial products.
> 
> It still doesn't detract from the value  of what people are aware of, in
> this case,
> pfSense code quality.
> 
> Aris
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mel Beckman

The question of code quality is always a difficult one, since in FOSS it’s 
public and often found lacking, but in private source you may never know. In 
these cases I rely on the vendor’s public statements about their development 
processes and certifications (e.g., ICSA). Commercial products often disclose 
their development processes and even run in-house security threat research 
groups that publish to the community.

There are also outside certifications. For example, 
www.icsalabs.com lists certifications by vendor for 
those that have passed their test regimen, and both Dell SonicWall and Fortinet 
Fortigate are shown to be current. PFSense isn’t listed, and although it is 
theoretically vetted by many users, there is no guarantee of recency or 
thoroughness of the test regimen.

This brings up the question of whether PFSense can meet regulatory requirements 
such as PCI, HIPAA, GLBA and SOX. While these regulatory organizations don’t 
require specific overall firewall certifications, they do require various 
specific standards, such as encryption strength, logging, VPN timeouts, etc. I 
don’t know if PFsense meets these requirements, as they don’t say so on their 
site. Companies like Dell publish white papers on their compliance with each 
regulatory organization.

-mel


On May 6, 2016, at 11:05 AM, Aris Lambrianidis 
> wrote:

amuse wrote:
One question I have is:  Is there any reason to believe that the source
code for Sonicwall, Cisco, etc are any better than the PFSense code?  Or
are we just able to see the PFSense code and make unfounded assumptions
that the commercial code is in better shape?
Perhaps not. In fact, probably not, judging by the apparent lack of
audit processes for say,
OpenSSL libraries re-used in commercial products.

It still doesn't detract from the value  of what people are aware of, in
this case,
pfSense code quality.

Aris

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mark Tinka

On 6/May/16 20:05, Aris Lambrianidis wrote:

> It still doesn't detract from the value  of what people are aware of, in
> this case,
> pfSense code quality.

But the beauty is that with pfSense, you can do something about it, as
someone knowledgeable in coding.

Preferring a closed source option because you can't see how potentially
bad their code is is not a necessarily better position to be in.

Mark.

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mark Tinka

On 6/May/16 20:05, Aris Lambrianidis wrote:

> It still doesn't detract from the value  of what people are aware of, in
> this case,
> pfSense code quality.

But the beauty is that with pfSense, you can do something about it, as
someone knowledgeable in coding.

Preferring a close source option because you can't see how potentially
bad their code is is not a necessarily better position to be in.

Mark.

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Aris Lambrianidis

amuse wrote:
> One question I have is:  Is there any reason to believe that the source
> code for Sonicwall, Cisco, etc are any better than the PFSense code?  Or
> are we just able to see the PFSense code and make unfounded assumptions
> that the commercial code is in better shape?
Perhaps not. In fact, probably not, judging by the apparent lack of
audit processes for say,
OpenSSL libraries re-used in commercial products. 

It still doesn't detract from the value  of what people are aware of, in
this case,
pfSense code quality.

Aris

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mark Tinka

On 6/May/16 18:59, amuse wrote:

> One question I have is:  Is there any reason to believe that the source
> code for Sonicwall, Cisco, etc are any better than the PFSense code?  Or
> are we just able to see the PFSense code and make unfounded assumptions
> that the commercial code is in better shape?

A fair question.

And I suppose one could say that if you are unhappy with the code, make
a contribution to make it better.

We have ran them for years, and while no system is without problems, for
the amount of value you receive, I can't really complain.

Mark.

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread amuse

One question I have is:  Is there any reason to believe that the source
code for Sonicwall, Cisco, etc are any better than the PFSense code?  Or
are we just able to see the PFSense code and make unfounded assumptions
that the commercial code is in better shape?

On Fri, May 6, 2016 at 9:39 AM, Mel Beckman  wrote:

> I, too, was not impressed with PFSense’s code. I’ve had to dig into it a
> couple of times to troubleshoot weird failure modes. I finally gave up. My
> time is too valuable, and the price of modern firewalls is fair for the
> value you get in serious regression testing and support.
>
> Also, I would not characterize PFSense as “reliable”. My PFsense boxes
> still require periodic reboots due to memory leaks, and sometimes just lock
> up. Yes, that happens with commercial boxen, but those events are far more
> rare.
>
>  -mel
>
>
> > On May 6, 2016, at 9:24 AM, Nick Hilliard  wrote:
> >
> > amuse wrote:
> >> +1 to a "Can you substantiate that claim please?" sentiment here.  I've
> >> used it for years and found it to be reliable, flexible, feature-filled.
> >> And having the BSD CLI fully available has been a godsend.
> >
> > The code quality is terrible in a 1990s sort of way.  I.e. no separation
> > of code, html, logic, data structure or anything else.  Everything is
> > jumbled in together using coding methodologies which don't scale and
> > which make it almost impossible to audit in a meaningful way.
> >
> > Specific problems:
> >
> > 1. the installation image ships with static dh params files, e.g.
> >
> >>
> https://github.com/pfsense/pfsense/blob/master/src/etc/dh-parameters.1024
> >
> > This is a really bad idea and someone should issue a CVE for it.  The
> > reasons are clearly explained at:
> >
> >> https://weakdh.org/
> >
> >> https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html
> >
> > 2. http params validation: a cursory glance at the output of "grep -r
> > _GET pfsense/src" show that the authors did not use any http parameters
> > validation.  In addition, the output of $_GET is used unsafely in
> > multiple locations.
> >
> > 3. the output of "grep -wr exec pfsense/src | grep 'rm -rf'" shows what
> > looks like exploitable problems due to poor shell escaping.
> >
> > This isn't an audit or anything, btw.  It's the result of a couple of
> > minutes glancing over the code.  I'm sure an audit would produce a lot
> more.
> >
> > Nick
>
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mel Beckman

I, too, was not impressed with PFSense’s code. I’ve had to dig into it a couple 
of times to troubleshoot weird failure modes. I finally gave up. My time is too 
valuable, and the price of modern firewalls is fair for the value you get in 
serious regression testing and support. 

Also, I would not characterize PFSense as “reliable”. My PFsense boxes still 
require periodic reboots due to memory leaks, and sometimes just lock up. Yes, 
that happens with commercial boxen, but those events are far more rare.

 -mel


> On May 6, 2016, at 9:24 AM, Nick Hilliard  wrote:
> 
> amuse wrote:
>> +1 to a "Can you substantiate that claim please?" sentiment here.  I've
>> used it for years and found it to be reliable, flexible, feature-filled.
>> And having the BSD CLI fully available has been a godsend.
> 
> The code quality is terrible in a 1990s sort of way.  I.e. no separation
> of code, html, logic, data structure or anything else.  Everything is
> jumbled in together using coding methodologies which don't scale and
> which make it almost impossible to audit in a meaningful way.
> 
> Specific problems:
> 
> 1. the installation image ships with static dh params files, e.g.
> 
>> https://github.com/pfsense/pfsense/blob/master/src/etc/dh-parameters.1024
> 
> This is a really bad idea and someone should issue a CVE for it.  The
> reasons are clearly explained at:
> 
>> https://weakdh.org/
> 
>> https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html
> 
> 2. http params validation: a cursory glance at the output of "grep -r
> _GET pfsense/src" show that the authors did not use any http parameters
> validation.  In addition, the output of $_GET is used unsafely in
> multiple locations.
> 
> 3. the output of "grep -wr exec pfsense/src | grep 'rm -rf'" shows what
> looks like exploitable problems due to poor shell escaping.
> 
> This isn't an audit or anything, btw.  It's the result of a couple of
> minutes glancing over the code.  I'm sure an audit would produce a lot more.
> 
> Nick

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Nick Hilliard

amuse wrote:
> +1 to a "Can you substantiate that claim please?" sentiment here.  I've
> used it for years and found it to be reliable, flexible, feature-filled.
> And having the BSD CLI fully available has been a godsend.

The code quality is terrible in a 1990s sort of way.  I.e. no separation
of code, html, logic, data structure or anything else.  Everything is
jumbled in together using coding methodologies which don't scale and
which make it almost impossible to audit in a meaningful way.

Specific problems:

1. the installation image ships with static dh params files, e.g.

> https://github.com/pfsense/pfsense/blob/master/src/etc/dh-parameters.1024

This is a really bad idea and someone should issue a CVE for it.  The
reasons are clearly explained at:

> https://weakdh.org/

> https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html

2. http params validation: a cursory glance at the output of "grep -r
_GET pfsense/src" show that the authors did not use any http parameters
validation.  In addition, the output of $_GET is used unsafely in
multiple locations.

3. the output of "grep -wr exec pfsense/src | grep 'rm -rf'" shows what
looks like exploitable problems due to poor shell escaping.

This isn't an audit or anything, btw.  It's the result of a couple of
minutes glancing over the code.  I'm sure an audit would produce a lot more.

Nick

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread amuse

+1 to a "Can you substantiate that claim please?" sentiment here.  I've
used it for years and found it to be reliable, flexible, feature-filled.
And having the BSD CLI fully available has been a godsend.

On Fri, May 6, 2016 at 12:01 AM, Mark Tinka  wrote:

>
>
> On 6/May/16 02:18, g...@1337.io wrote:
>
> > If you are considering pfSense, I would urge you to look at OPNsense
> > instead. The pfSense code is horrible!
>
> Can you explain?
>
> We've been reasonably happy with it, running it since 2012 on dozens of
> boxes for our corporate network and as OpenVPN servers.
>
> Mark.
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mark Tinka

On 6/May/16 02:18, g...@1337.io wrote:

> If you are considering pfSense, I would urge you to look at OPNsense
> instead. The pfSense code is horrible!

Can you explain?

We've been reasonably happy with it, running it since 2012 on dozens of
boxes for our corporate network and as OpenVPN servers.

Mark.

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-06 Thread Mark Tinka



On 5/May/16 19:53, Ken Chase wrote:

> Looking around at different SMB firewalls to standardize on so we can start
> training up our level 2/3 techs instead of dealing with a mess of different 
> vendors
> at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however, 
> wondering
> what your experiences are. Need something cheap enough (certainly <$1k, 
> <$500-750 better)
> that we are comfortable telling endpoints to toss current gear/buy additional 
> gear.
>
> Basic firewalling of course is covered, but also need port range forwarding
> (not available until later ASA versions for eg was an issue), QoS (port/flow
> based as well as possibly actually talking some real QoS protocols) and VPN
> capabilities (not sure if many do without #seats licensing schemes which get
> irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
> preferred) - I realize a PFsense unit would be great, but might not have
> enough brand name recognition to make the master client happy plopping down as
> a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x 
> is a
> bit $$ and licensing acrobatics get irritating for end customers.)

pfSense.

Mark.

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Warren Kumari

Yeah, the EdgeRouter series do not suck.
Fast, stable, easy to manage (although the broken tab completion drives me
nuts ('sho ip route' should just work, I'm too old to retrain my
fingers...) - other than that they are great...

W

On Thu, May 5, 2016 at 8:28 PM Jared Mauch  wrote:

>
> > On May 5, 2016, at 4:52 PM, Javier J  wrote:
> >
> > I'm a fan of the EdgeRouterLite3
> >
> >
> > I don't manage many small businesses networks anymore because we now do
> > only 100% cloud and remote work but I started deploying them to all my
> old
> > clients I still have on retainer.
> >
> >
> > It is a wonderful solid set it, and forget it device and you can manage
> it
> > with ssh (it is basically running a fork of Vyatta under the hood on
> Cavium
> > hardware which is nice because it does lots of hardware offload like any
> > other enterprise device.)
>
> I’ll +1 the Edgerouter series.  They are cheap and hit the right price
> performance ratio for most homes.
>
> You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if
> necessary.
>
> If you are looking for more complex blocking rules and services, you need
> to be
> looking at something like the Deteque DNS service or the Cisco/OpenDNS
> services
> instead to nuke outbound malware connections and such.
>
> - Jared
>
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Christopher Morrow

On Thu, May 5, 2016 at 8:27 PM, Jared Mauch  wrote:

>
> > On May 5, 2016, at 4:52 PM, Javier J  wrote:
> >
> > I'm a fan of the EdgeRouterLite3
> >
> >
> > I don't manage many small businesses networks anymore because we now do
> > only 100% cloud and remote work but I started deploying them to all my
> old
> > clients I still have on retainer.
> >
> >
> > It is a wonderful solid set it, and forget it device and you can manage
> it
> > with ssh (it is basically running a fork of Vyatta under the hood on
> Cavium
> > hardware which is nice because it does lots of hardware offload like any
> > other enterprise device.)
>
> I’ll +1 the Edgerouter series.  They are cheap and hit the right price
> performance ratio for most homes.
>
>
came here to say this, also they do v6, PD and all that jazz.



> You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if
> necessary.
>
> If you are looking for more complex blocking rules and services, you need
> to be
> looking at something like the Deteque DNS service or the Cisco/OpenDNS
> services
> instead to nuke outbound malware connections and such.
>
>
also agree whole-heartedly with this sentiment.y

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Tim Raphael

The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across.

I defaulted to turning it off based on my previous experiences with SIP ALGs 
and NAT however it became apparent that it actually worked really well and I 
ended up defaulting it to on.

- Tim


> On 6 May 2016, at 3:37 AM, Andrew Kirch <trel...@trelane.net> wrote:
> 
> Both the Juniper SRX, and the Mikrotik will work.
> 
> The problem isn't firewalling, it's NAT.  NAT is evil.
> 
> Perhaps having enough IP Addresses would be a better solution?
> https://www.youtube.com/watch?v=v26BAlfWBm8
> 
> On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfre...@mtu.edu> wrote:
> 
>> I'm a huge fan of Juniper's SRX line. I use all the features you point out
>> at home on my SRX210, although that product is end-of-life. A refurbished
>> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
>> support is extra, but I'm not sure how much.
>> 
>> I haven't used it myself but I have seen the packet capture in action.
>> It'll save any traffic you want right out to a pcap file too. I also like
>> "show security flow session" - shows you the source, destination, ports,
>> how long a session has been going, and number of packets and number of
>> bytes transferred.
>> 
>> Matt Freitag
>> Network Engineer I
>> Information Technology
>> Michigan Technological University
>> (906) 487-3696
>> http://www.mtu.edu/
>> http://www.it.mtu.edu/
>> 
>> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
>> Sent: Thursday, May 5, 2016 2:51 PM
>> To: Mel Beckman <m...@beckman.org>
>> Cc: nanog@nanog.org
>> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>> 
>> Your exactly right, Mel. Dell has really turned the Sonicwall platform
>> around in the past few year. We dropped it a year or two before Dell took
>> them over. Back then Sonicwall was full of issues and lacked important
>> features that our enterprise customers required. If you have budget, Palo
>> Alto is something to look at as well, but don't overlook Sonicwall and
>> FortiGate.
>> 
>> 
>> Sincerely,
>> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>> 
>> E: nellerm...@broadaspect.com
>> P: 703-297-4639
>> F: 703-996-4443
>> 
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>> 
>> 
>> -Original Message-
>> From: Mel Beckman [mailto:m...@beckman.org]
>> Sent: Thursday, May 05, 2016 2:49 PM
>> To: Nick Ellermann <nellerm...@broadaspect.com>
>> Cc: Ken Chase <m...@sizone.org>; nanog@nanog.org
>> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>> 
>> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
>> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
>> SonicWalls are easier to configure, but have fewer features. Fortigate has
>> many knobs and dials and a very powerful virtual router facility that can
>> do amazing things. The two vendors have equivalent support in my opinion,
>> although Fortigate tends to be more personal (Dell is big and you get
>> random techs).
>> 
>> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
>> but mostly I think because they're Cisco-only. PaloAlto is expensive for
>> what you get. Functionally they are on the same level as Fortigate, with a
>> slightly more elegant GUI. But Fortigate can be configured via a USB
>> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
>> are error-prone and slow.
>> 
>> -mel
>> 
>>> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com>
>> wrote:
>>> 
>>> We have a lot of luck for smaller VOIP customers having all of their
>> services run through a FortiGate 60D, or higher models. 60D is our go to
>> solution for small enterprise. However, if we are the network carrier for
>> a particular customer and they have a voip deployment of more than about
>> 15 phones, then we deploy a dedicated voice edge gateway, which is more
>> about voice support and handset management than anything.  You do need to
>> disable a couple of things on the FortiGate such as SIP Session Helper and
>> ALG.  We never have voice termination

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Jared Mauch

> On May 5, 2016, at 4:52 PM, Javier J  wrote:
> 
> I'm a fan of the EdgeRouterLite3
> 
> 
> I don't manage many small businesses networks anymore because we now do
> only 100% cloud and remote work but I started deploying them to all my old
> clients I still have on retainer.
> 
> 
> It is a wonderful solid set it, and forget it device and you can manage it
> with ssh (it is basically running a fork of Vyatta under the hood on Cavium
> hardware which is nice because it does lots of hardware offload like any
> other enterprise device.)

I’ll +1 the Edgerouter series.  They are cheap and hit the right price 
performance ratio for most homes.

You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if necessary.

If you are looking for more complex blocking rules and services, you need to be
looking at something like the Deteque DNS service or the Cisco/OpenDNS services
instead to nuke outbound malware connections and such.

- Jared

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread g...@1337.io

If you are considering pfSense, I would urge you to look at OPNsense 
instead. The pfSense code is horrible!


On 5/5/16 11:11 AM, amuse wrote:

What PFSense currently lacks in brand name recognition, they can make up
with by the fact that they offer paid support at very affordable levels.

I'd go with https://store.pfsense.org/SG-2440/ ($499 each) and a quote for
professional services  (
https://store.pfsense.org/Professional-Services.aspx ) to back that up.

On Thu, May 5, 2016 at 10:53 AM, Ken Chase  wrote:


Looking around at different SMB firewalls to standardize on so we can start
training up our level 2/3 techs instead of dealing with a mess of
different vendors
at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however,
wondering
what your experiences are. Need something cheap enough (certainly <$1k,
<$500-750 better)
that we are comfortable telling endpoints to toss current gear/buy
additional gear.

Basic firewalling of course is covered, but also need port range forwarding
(not available until later ASA versions for eg was an issue), QoS
(port/flow
based as well as possibly actually talking some real QoS protocols) and VPN
capabilities (not sure if many do without #seats licensing schemes which
get
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via
shell
preferred) - I realize a PFsense unit would be great, but might not have
enough brand name recognition to make the master client happy plopping
down as
a CPE at end client sites. (I know, "there's only one brand, Cisco."
ASA5506x is a
bit $$ and licensing acrobatics get irritating for end customers.)

/kc
--
Ken Chase - Guelph Canada

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Sean Heskett

We use Calix gigacenter 844E. It will do everything you listed (and a whole
lot more) except the VPN part.

-Sean

On Thursday, May 5, 2016, Ken Chase  wrote:

> Looking around at different SMB firewalls to standardize on so we can start
> training up our level 2/3 techs instead of dealing with a mess of
> different vendors
> at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however,
> wondering
> what your experiences are. Need something cheap enough (certainly <$1k,
> <$500-750 better)
> that we are comfortable telling endpoints to toss current gear/buy
> additional gear.
>
> Basic firewalling of course is covered, but also need port range forwarding
> (not available until later ASA versions for eg was an issue), QoS
> (port/flow
> based as well as possibly actually talking some real QoS protocols) and VPN
> capabilities (not sure if many do without #seats licensing schemes which
> get
> irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via
> shell
> preferred) - I realize a PFsense unit would be great, but might not have
> enough brand name recognition to make the master client happy plopping
> down as
> a CPE at end client sites. (I know, "there's only one brand, Cisco."
> ASA5506x is a
> bit $$ and licensing acrobatics get irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Javier J

I'm a fan of the EdgeRouterLite3


I don't manage many small businesses networks anymore because we now do
only 100% cloud and remote work but I started deploying them to all my old
clients I still have on retainer.


It is a wonderful solid set it, and forget it device and you can manage it
with ssh (it is basically running a fork of Vyatta under the hood on Cavium
hardware which is nice because it does lots of hardware offload like any
other enterprise device.)


I won't use pfsense anymore because it's project was taken over by a-holes,
but that is just my personal experience.

- Javier

On Thu, May 5, 2016 at 1:53 PM, Ken Chase  wrote:

> Looking around at different SMB firewalls to standardize on so we can start
> training up our level 2/3 techs instead of dealing with a mess of
> different vendors
> at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however,
> wondering
> what your experiences are. Need something cheap enough (certainly <$1k,
> <$500-750 better)
> that we are comfortable telling endpoints to toss current gear/buy
> additional gear.
>
> Basic firewalling of course is covered, but also need port range forwarding
> (not available until later ASA versions for eg was an issue), QoS
> (port/flow
> based as well as possibly actually talking some real QoS protocols) and VPN
> capabilities (not sure if many do without #seats licensing schemes which
> get
> irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via
> shell
> preferred) - I realize a PFsense unit would be great, but might not have
> enough brand name recognition to make the master client happy plopping
> down as
> a CPE at end client sites. (I know, "there's only one brand, Cisco."
> ASA5506x is a
> bit $$ and licensing acrobatics get irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Andrew Kirch

Both the Juniper SRX, and the Mikrotik will work.

The problem isn't firewalling, it's NAT.  NAT is evil.

Perhaps having enough IP Addresses would be a better solution?
https://www.youtube.com/watch?v=v26BAlfWBm8

On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfre...@mtu.edu> wrote:

> I'm a huge fan of Juniper's SRX line. I use all the features you point out
> at home on my SRX210, although that product is end-of-life. A refurbished
> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
> support is extra, but I'm not sure how much.
>
> I haven't used it myself but I have seen the packet capture in action.
> It'll save any traffic you want right out to a pcap file too. I also like
> "show security flow session" - shows you the source, destination, ports,
> how long a session has been going, and number of packets and number of
> bytes transferred.
>
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696
> http://www.mtu.edu/
> http://www.it.mtu.edu/
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
> Sent: Thursday, May 5, 2016 2:51 PM
> To: Mel Beckman <m...@beckman.org>
> Cc: nanog@nanog.org
> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>
> Your exactly right, Mel. Dell has really turned the Sonicwall platform
> around in the past few year. We dropped it a year or two before Dell took
> them over. Back then Sonicwall was full of issues and lacked important
> features that our enterprise customers required. If you have budget, Palo
> Alto is something to look at as well, but don't overlook Sonicwall and
> FortiGate.
>
>
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
>
> -Original Message-
> From: Mel Beckman [mailto:m...@beckman.org]
> Sent: Thursday, May 05, 2016 2:49 PM
> To: Nick Ellermann <nellerm...@broadaspect.com>
> Cc: Ken Chase <m...@sizone.org>; nanog@nanog.org
> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>
> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
> SonicWalls are easier to configure, but have fewer features. Fortigate has
> many knobs and dials and a very powerful virtual router facility that can
> do amazing things. The two vendors have equivalent support in my opinion,
> although Fortigate tends to be more personal (Dell is big and you get
> random techs).
>
> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
> but mostly I think because they're Cisco-only. PaloAlto is expensive for
> what you get. Functionally they are on the same level as Fortigate, with a
> slightly more elegant GUI. But Fortigate can be configured via a USB
> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
> are error-prone and slow.
>
>  -mel
>
> > On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com>
> wrote:
> >
> > We have a lot of luck for smaller VOIP customers having all of their
> services run through a FortiGate 60D, or higher models. 60D is our go to
> solution for small enterprise. However, if we are the network carrier for
> a particular customer and they have a voip deployment of more than about
> 15 phones, then we deploy a dedicated voice edge gateway, which is more
> about voice support and handset management than anything.  You do need to
> disable a couple of things on the FortiGate such as SIP Session Helper and
> ALG.  We never have voice termination, origination or call quality issues
> because of the firewall.
> > FortiGate has a lot of advanced features as well as fine tuning and
> adjustment capabilities for the network engineering type and is still easy
> enough for our entry level techs to support. Most of our customers have
> heavy VPN requirements and FortiGates have great IPsec performance.  We
> leverage a lot of the network security features and have built a
> successful managed firewall service with good monitoring and analytics
> using a third-party monitoring platform and Fortinet's FortiAnaylzer
> platform.
> >
> > Worth looking at, if you haven't already. If you want to private message
> me, happy to give more info.
> >
>

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Mel Beckman

I should mention that both SonicWall and Fortigate have superb packet capture 
engines. Not only can you do capture view and first-level decode right in the 
web GUI, you can save captures in PCAP format or pipe the capture stream to an 
available Ethernet port. Both have extensive filtering for both capture and 
viewing within capture, and decent-sized capture buffers.

 -mel

> On May 5, 2016, at 12:09 PM, Matt Freitag <mlfre...@mtu.edu> wrote:
> 
> I'm a huge fan of Juniper's SRX line. I use all the features you point out
> at home on my SRX210, although that product is end-of-life. A refurbished
> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
> support is extra, but I'm not sure how much.
> 
> I haven't used it myself but I have seen the packet capture in action.
> It'll save any traffic you want right out to a pcap file too. I also like
> "show security flow session" - shows you the source, destination, ports,
> how long a session has been going, and number of packets and number of
> bytes transferred.
> 
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696
> http://www.mtu.edu/
> http://www.it.mtu.edu/
> 
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
> Sent: Thursday, May 5, 2016 2:51 PM
> To: Mel Beckman <m...@beckman.org>
> Cc: nanog@nanog.org
> Subject: RE: sub $500-750 CPE firewall for voip-centric application
> 
> Your exactly right, Mel. Dell has really turned the Sonicwall platform
> around in the past few year. We dropped it a year or two before Dell took
> them over. Back then Sonicwall was full of issues and lacked important
> features that our enterprise customers required. If you have budget, Palo
> Alto is something to look at as well, but don't overlook Sonicwall and
> FortiGate.
> 
> 
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
> 
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> 
> 
> -Original Message-
> From: Mel Beckman [mailto:m...@beckman.org]
> Sent: Thursday, May 05, 2016 2:49 PM
> To: Nick Ellermann <nellerm...@broadaspect.com>
> Cc: Ken Chase <m...@sizone.org>; nanog@nanog.org
> Subject: Re: sub $500-750 CPE firewall for voip-centric application
> 
> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
> SonicWalls are easier to configure, but have fewer features. Fortigate has
> many knobs and dials and a very powerful virtual router facility that can
> do amazing things. The two vendors have equivalent support in my opinion,
> although Fortigate tends to be more personal (Dell is big and you get
> random techs).
> 
> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
> but mostly I think because they're Cisco-only. PaloAlto is expensive for
> what you get. Functionally they are on the same level as Fortigate, with a
> slightly more elegant GUI. But Fortigate can be configured via a USB
> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
> are error-prone and slow.
> 
> -mel
> 
>> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com>
> wrote:
>> 
>> We have a lot of luck for smaller VOIP customers having all of their
> services run through a FortiGate 60D, or higher models. 60D is our go to
> solution for small enterprise. However, if we are the network carrier for
> a particular customer and they have a voip deployment of more than about
> 15 phones, then we deploy a dedicated voice edge gateway, which is more
> about voice support and handset management than anything.  You do need to
> disable a couple of things on the FortiGate such as SIP Session Helper and
> ALG.  We never have voice termination, origination or call quality issues
> because of the firewall.
>> FortiGate has a lot of advanced features as well as fine tuning and
> adjustment capabilities for the network engineering type and is still easy
> enough for our entry level techs to support. Most of our customers have
> heavy VPN requirements and FortiGates have great IPsec performance.  We
> leverage a lot of the network security features and have built a
> successful managed firewall service with good monitoring and analytics
> using a third-party monitoring platform

RE: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Matt Freitag

I'm a huge fan of Juniper's SRX line. I use all the features you point out
at home on my SRX210, although that product is end-of-life. A refurbished
SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
support is extra, but I'm not sure how much.

I haven't used it myself but I have seen the packet capture in action.
It'll save any traffic you want right out to a pcap file too. I also like
"show security flow session" - shows you the source, destination, ports,
how long a session has been going, and number of packets and number of
bytes transferred.

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696
http://www.mtu.edu/
http://www.it.mtu.edu/

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
Sent: Thursday, May 5, 2016 2:51 PM
To: Mel Beckman <m...@beckman.org>
Cc: nanog@nanog.org
Subject: RE: sub $500-750 CPE firewall for voip-centric application

Your exactly right, Mel. Dell has really turned the Sonicwall platform
around in the past few year. We dropped it a year or two before Dell took
them over. Back then Sonicwall was full of issues and lacked important
features that our enterprise customers required. If you have budget, Palo
Alto is something to look at as well, but don't overlook Sonicwall and
FortiGate.

Sincerely,
Nick Ellermann - CTO & VP Cloud Services BroadAspect

E: nellerm...@broadaspect.com
P: 703-297-4639
F: 703-996-4443

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-Original Message-
From: Mel Beckman [mailto:m...@beckman.org]
Sent: Thursday, May 05, 2016 2:49 PM
To: Nick Ellermann <nellerm...@broadaspect.com>
Cc: Ken Chase <m...@sizone.org>; nanog@nanog.org
Subject: Re: sub $500-750 CPE firewall for voip-centric application

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
SonicWalls are easier to configure, but have fewer features. Fortigate has
many knobs and dials and a very powerful virtual router facility that can
do amazing things. The two vendors have equivalent support in my opinion,
although Fortigate tends to be more personal (Dell is big and you get
random techs).

Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
but mostly I think because they're Cisco-only. PaloAlto is expensive for
what you get. Functionally they are on the same level as Fortigate, with a
slightly more elegant GUI. But Fortigate can be configured via a USB
cable, which is a huge advantage in the field. Legacy RS-232 serial ports
are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com>
wrote:
>
> We have a lot of luck for smaller VOIP customers having all of their
services run through a FortiGate 60D, or higher models. 60D is our go to
solution for small enterprise. However, if we are the network carrier for
a particular customer and they have a voip deployment of more than about
15 phones, then we deploy a dedicated voice edge gateway, which is more
about voice support and handset management than anything.  You do need to
disable a couple of things on the FortiGate such as SIP Session Helper and
ALG.  We never have voice termination, origination or call quality issues
because of the firewall.
> FortiGate has a lot of advanced features as well as fine tuning and
adjustment capabilities for the network engineering type and is still easy
enough for our entry level techs to support. Most of our customers have
heavy VPN requirements and FortiGates have great IPsec performance.  We
leverage a lot of the network security features and have built a
successful managed firewall service with good monitoring and analytics
using a third-party monitoring platform and Fortinet's FortiAnaylzer
platform.
>
> Worth looking at, if you haven't already. If you want to private message
me, happy to give more info.
>
>
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
>
> Looking around at different SMB firewalls to standardize on so we can
sta

RE: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Nick Ellermann

Your exactly right, Mel. Dell has really turned the Sonicwall platform around 
in the past few year. We dropped it a year or two before Dell took them over. 
Back then Sonicwall was full of issues and lacked important features that our 
enterprise customers required. If you have budget, Palo Alto is something to 
look at as well, but don't overlook Sonicwall and FortiGate.  

Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect

E: nellerm...@broadaspect.com 
P: 703-297-4639
F: 703-996-4443

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-Original Message-
From: Mel Beckman [mailto:m...@beckman.org] 
Sent: Thursday, May 05, 2016 2:49 PM
To: Nick Ellermann <nellerm...@broadaspect.com>
Cc: Ken Chase <m...@sizone.org>; nanog@nanog.org
Subject: Re: sub $500-750 CPE firewall for voip-centric application

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto 
firewalls.  The best SMB devices are definitely SonicWall and Fortigate. 
SonicWalls are easier to configure, but have fewer features. Fortigate has many 
knobs and dials and a very powerful virtual router facility that can do amazing 
things. The two vendors have equivalent support in my opinion, although 
Fortigate tends to be more personal (Dell is big and you get random techs). 

Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but 
mostly I think because they're Cisco-only. PaloAlto is expensive for what you 
get. Functionally they are on the same level as Fortigate, with a slightly more 
elegant GUI. But Fortigate can be configured via a USB cable, which is a huge 
advantage in the field. Legacy RS-232 serial ports are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com> 
> wrote:
> 
> We have a lot of luck for smaller VOIP customers having all of their services 
> run through a FortiGate 60D, or higher models. 60D is our go to solution for 
> small enterprise. However, if we are the network carrier for a particular 
> customer and they have a voip deployment of more than about 15 phones, then 
> we deploy a dedicated voice edge gateway, which is more about voice support 
> and handset management than anything.  You do need to disable a couple of 
> things on the FortiGate such as SIP Session Helper and ALG.  We never have 
> voice termination, origination or call quality issues because of the 
> firewall. 
> FortiGate has a lot of advanced features as well as fine tuning and 
> adjustment capabilities for the network engineering type and is still easy 
> enough for our entry level techs to support. Most of our customers have heavy 
> VPN requirements and FortiGates have great IPsec performance.  We leverage a 
> lot of the network security features and have built a successful managed 
> firewall service with good monitoring and analytics using a third-party 
> monitoring platform and Fortinet's FortiAnaylzer platform. 
> 
> Worth looking at, if you haven't already. If you want to private message me, 
> happy to give more info. 
> 
> 
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>  
> E: nellerm...@broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>  
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
> 
> Looking around at different SMB firewalls to standardize on so we can start 
> training up our level 2/3 techs instead of dealing with a mess of different 
> vendors at cust premises.
> 
> I've run into a few firewalls that were not sip or 323 friendly however, 
> wondering what your experiences are. Need something cheap enough (certainly 
> <$1k, <$500-750 better) that we are comfortable telling endpoints to toss 
> current gear/buy additional gear.
> 
> Basic firewalling of course is covered, but also need port range forwarding 
> (not available until later ASA versions for eg was an issue), QoS (port/flow 
> based as well as possibly actually talking some real QoS protocols) and VPN 
> capabilities (not sure if many do without #seats licensing schemes which get 
> irritating to clients).
> 
> We'd like a bit of diagnostic capability (say tcpdump or the like

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Mel Beckman

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto 
firewalls.  The best SMB devices are definitely SonicWall and Fortigate. 
SonicWalls are easier to configure, but have fewer features. Fortigate has many 
knobs and dials and a very powerful virtual router facility that can do amazing 
things. The two vendors have equivalent support in my opinion, although 
Fortigate tends to be more personal (Dell is big and you get random techs). 

Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but 
mostly I think because they’re Cisco-only. PaloAlto is expensive for what you 
get. Functionally they are on the same level as Fortigate, with a slightly more 
elegant GUI. But Fortigate can be configured via a USB cable, which is a huge 
advantage in the field. Legacy RS-232 serial ports are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com> 
> wrote:
> 
> We have a lot of luck for smaller VOIP customers having all of their services 
> run through a FortiGate 60D, or higher models. 60D is our go to solution for 
> small enterprise. However, if we are the network carrier for a particular 
> customer and they have a voip deployment of more than about 15 phones, then 
> we deploy a dedicated voice edge gateway, which is more about voice support 
> and handset management than anything.  You do need to disable a couple of 
> things on the FortiGate such as SIP Session Helper and ALG.  We never have 
> voice termination, origination or call quality issues because of the 
> firewall. 
> FortiGate has a lot of advanced features as well as fine tuning and 
> adjustment capabilities for the network engineering type and is still easy 
> enough for our entry level techs to support. Most of our customers have heavy 
> VPN requirements and FortiGates have great IPsec performance.  We leverage a 
> lot of the network security features and have built a successful managed 
> firewall service with good monitoring and analytics using a third-party 
> monitoring platform and Fortinet's FortiAnaylzer platform. 
> 
> Worth looking at, if you haven't already. If you want to private message me, 
> happy to give more info. 
> 
> 
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services
> BroadAspect
>  
> E: nellerm...@broadaspect.com 
> P: 703-297-4639
> F: 703-996-4443
>  
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog@nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
> 
> Looking around at different SMB firewalls to standardize on so we can start 
> training up our level 2/3 techs instead of dealing with a mess of different 
> vendors at cust premises.
> 
> I've run into a few firewalls that were not sip or 323 friendly however, 
> wondering what your experiences are. Need something cheap enough (certainly 
> <$1k, <$500-750 better) that we are comfortable telling endpoints to toss 
> current gear/buy additional gear.
> 
> Basic firewalling of course is covered, but also need port range forwarding 
> (not available until later ASA versions for eg was an issue), QoS (port/flow 
> based as well as possibly actually talking some real QoS protocols) and VPN 
> capabilities (not sure if many do without #seats licensing schemes which get 
> irritating to clients).
> 
> We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
> preferred) - I realize a PFsense unit would be great, but might not have 
> enough brand name recognition to make the master client happy plopping down 
> as a CPE at end client sites. (I know, "there's only one brand, Cisco." 
> ASA5506x is a bit $$ and licensing acrobatics get irritating for end 
> customers.)
> 
> /kc
> --
> Ken Chase - Guelph Canada

RE: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Nick Ellermann

We have a lot of luck for smaller VOIP customers having all of their services 
run through a FortiGate 60D, or higher models. 60D is our go to solution for 
small enterprise. However, if we are the network carrier for a particular 
customer and they have a voip deployment of more than about 15 phones, then we 
deploy a dedicated voice edge gateway, which is more about voice support and 
handset management than anything.  You do need to disable a couple of things on 
the FortiGate such as SIP Session Helper and ALG.  We never have voice 
termination, origination or call quality issues because of the firewall. 
FortiGate has a lot of advanced features as well as fine tuning and adjustment 
capabilities for the network engineering type and is still easy enough for our 
entry level techs to support. Most of our customers have heavy VPN requirements 
and FortiGates have great IPsec performance.  We leverage a lot of the network 
security features and have built a successful managed firewall service with 
good monitoring and analytics using a third-party monitoring platform and 
Fortinet's FortiAnaylzer platform. 

Worth looking at, if you haven't already. If you want to private message me, 
happy to give more info. 


Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
 
E: nellerm...@broadaspect.com 
P: 703-297-4639
F: 703-996-4443
 
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
Sent: Thursday, May 05, 2016 1:54 PM
To: nanog@nanog.org
Subject: sub $500-750 CPE firewall for voip-centric application

Looking around at different SMB firewalls to standardize on so we can start 
training up our level 2/3 techs instead of dealing with a mess of different 
vendors at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however, 
wondering what your experiences are. Need something cheap enough (certainly 
<$1k, <$500-750 better) that we are comfortable telling endpoints to toss 
current gear/buy additional gear.

Basic firewalling of course is covered, but also need port range forwarding 
(not available until later ASA versions for eg was an issue), QoS (port/flow 
based as well as possibly actually talking some real QoS protocols) and VPN 
capabilities (not sure if many do without #seats licensing schemes which get 
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have enough 
brand name recognition to make the master client happy plopping down as a CPE 
at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a 
bit $$ and licensing acrobatics get irritating for end customers.)

/kc
--
Ken Chase - Guelph Canada

RE: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Ray Orsini

We deploy SonicWALL TZ300 or SOHO using Dell's Security as a Service. That
way our monthly cost per customer is under $50 and includes all security
services plus GMS centralized management. Works great with our VOIP service.

Regards,
Ray Orsini – CEO
Orsini IT, LLC – Technology Consultants
VOICE DATA  BANDWIDTH  SECURITY  SUPPORT
P: 305.967.6756 x1009   E: r...@orsiniit.com   TF: 844.OIT.VOIP
7900 NW 155th Street, Suite 103, Miami Lakes, FL 33016
http://www.orsiniit.com | View My Calendar | View/Pay Your Invoices | View
Your Tickets



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
Sent: Thursday, May 5, 2016 1:54 PM
To: nanog@nanog.org
Subject: sub $500-750 CPE firewall for voip-centric application

Looking around at different SMB firewalls to standardize on so we can start
training up our level 2/3 techs instead of dealing with a mess of different
vendors at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however,
wondering what your experiences are. Need something cheap enough (certainly
<$1k, <$500-750 better) that we are comfortable telling endpoints to toss
current gear/buy additional gear.

Basic firewalling of course is covered, but also need port range forwarding
(not available until later ASA versions for eg was an issue), QoS (port/flow
based as well as possibly actually talking some real QoS protocols) and VPN
capabilities (not sure if many do without #seats licensing schemes which get
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have
enough brand name recognition to make the master client happy plopping down
as a CPE at end client sites. (I know, "there's only one brand, Cisco."
ASA5506x is a bit $$ and licensing acrobatics get irritating for end
customers.)

/kc
--
Ken Chase - Guelph Canada

Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread amuse

What PFSense currently lacks in brand name recognition, they can make up
with by the fact that they offer paid support at very affordable levels.

I'd go with https://store.pfsense.org/SG-2440/ ($499 each) and a quote for
professional services  (
https://store.pfsense.org/Professional-Services.aspx ) to back that up.

On Thu, May 5, 2016 at 10:53 AM, Ken Chase  wrote:

> Looking around at different SMB firewalls to standardize on so we can start
> training up our level 2/3 techs instead of dealing with a mess of
> different vendors
> at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however,
> wondering
> what your experiences are. Need something cheap enough (certainly <$1k,
> <$500-750 better)
> that we are comfortable telling endpoints to toss current gear/buy
> additional gear.
>
> Basic firewalling of course is covered, but also need port range forwarding
> (not available until later ASA versions for eg was an issue), QoS
> (port/flow
> based as well as possibly actually talking some real QoS protocols) and VPN
> capabilities (not sure if many do without #seats licensing schemes which
> get
> irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via
> shell
> preferred) - I realize a PFsense unit would be great, but might not have
> enough brand name recognition to make the master client happy plopping
> down as
> a CPE at end client sites. (I know, "there's only one brand, Cisco."
> ASA5506x is a
> bit $$ and licensing acrobatics get irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada
>

sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Ken Chase

Looking around at different SMB firewalls to standardize on so we can start
training up our level 2/3 techs instead of dealing with a mess of different 
vendors
at cust premises.

I've run into a few firewalls that were not sip or 323 friendly however, 
wondering
what your experiences are. Need something cheap enough (certainly <$1k, 
<$500-750 better)
that we are comfortable telling endpoints to toss current gear/buy additional 
gear.

Basic firewalling of course is covered, but also need port range forwarding
(not available until later ASA versions for eg was an issue), QoS (port/flow
based as well as possibly actually talking some real QoS protocols) and VPN
capabilities (not sure if many do without #seats licensing schemes which get
irritating to clients).

We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have
enough brand name recognition to make the master client happy plopping down as
a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x 
is a
bit $$ and licensing acrobatics get irritating for end customers.)

/kc
-- 
Ken Chase - Guelph Canada

37 matches

Mail list logo