Well now see…there’s the rub…
Are we shooting for a specific set of standards? HIPAA? PCI? General intrusion/war driving security? All of the above?
First off I didn’t suggest them, I answered the question the OP asked. My actual recommendation is you read the entire post was that the needs of the company might be better suited to consulting with a professional. You however seem to be on a crusade against every firewall vendor on the planet for some reason. Those platforms have other functionality beyond just a firewall so pfsense is not the end all solution for everyone.
Thank you, I think the same.
There are 2 different cases:
-
Hotels. They staff 24/24 on duty, and enough people have been trained to swap needed cables. There is even a sheet with pictures showing it. And cables are labelled. Internally needed resources are local (servers), resources for outside use (website, online booking,…) are externally hosted.
-
Businesses. They are pretty standard businesses, Mon-Fri, 9am till 5pm for ex. During business hours, they also can swap a few cables on their own, and outside business hours, they just don’t need to be online. Website etc are externally hosted.
For companies that have absolutely critical needs and could never afford even a few minutes down in the (extremely) unfrequent event of a router / firewall failure of course you need a different approach, but I don’t have any such in my customers.
Don’t forget that this is only a part of your network as well, a PoE switch will even be more prone to failure than a router / firewall. A rodent might eat a cable or fibre. Your ISP provided modem (sometimes you just can’t change it or remove it) is from far the weakest point. That’s why we use 3 or at least 2 different ISPs, with different technologies / infrastructure if possible.
Another point is cost. Let’s assume that you present 2 offers to your customer.
-
First with Unifi, with the support being you and not Unifi (everybody knows why), including some spares (router, some switches, some APs,…) and factoring that your own company does stock ‘extras’ to face problems.
-
Second with Cisco, with their support… and their fees…
And you present at same time an excell sheet with estimated TCO on five years. In my range of customers they don’t even hesitate, due to enormous price difference.
Nope. You suggest two of the absolute worst options. Then suggested he seek professionals…which I’m sure you have some in mind that sweat meraki.
I’d say hotel requires less security potentially. So ubiquity is ok.
If they do hold data which if ransomware’d would tank their business, then ubiquiti won’t suffice.
HA depends. I mean it sucks not having internet in a hotel but easy to fix by replacing faulty router within x hours. Could just keep a spare with config loaded vs paying for HA setup. Unless again, outage 1 hour/day costs more than HA for a year.
Again I didn’t suggest them. I said the solutions he mentioned might be better than unifi. I couldn’t suggest professionals to him if I wanted to because I live on the other side of an ocean. I have absolutely zero stake in this, I’m simply trying to be helpful and informative.
For the record, I run Fortigate equipment and think it works well for my purposes. I have used meraki in the past, but only because they sent me free equipment to try. I got rid of it after the free licensing ran out because it wasn’t worth the cost.
This hotel in particular got total 8 minutes offline in 7 years…
Regarding ransomware all critical data are hosted outside (with a local copy) and it’s the hosting company witch is responsible by contract…
I’m sorry you run junk?
It’s never a good idea to suggest bad hardware/software.
Yup Ubiquiti or even TP-Link Omada be perfect here. Do not website security still needs investment. Web providers NZ don’t often do much there. They host and update if paid maintenance. WAF is an often not in place I noticed.
If you can point me to something that proves the best selling firewall company produces junk I’m willing to look at the research. Best selling didn’t necessarily make them good, but being recommended by security professionals does. I have no idea what your credentials are. Maybe you’re the premier cyber security researcher on the planet, but you’ve provided nothing to back up your claims so I’ll continue to listen to people who I know know what they are talking about.
You can use AWS for example, doesn’t need to be local data center
Meraki/fortinet are great at sales, but two seconds using them compared to even open source options it’s clear they are weak at best and exceedingly limited and poorly designed at worst.
Cisco has 1000 of instances of failures, fortinet as well but worse.
I’m sorry you don’t like this reality but the old guard needs to die not be propped up.
Still waiting on the proof and/or credentials.
And for the record pfsense has it’s own share of failures. Pfsense Pfsense : Security vulnerabilities, CVEs
Whatwhenwherehi - what do you recommend personally then?
Are you an actual network engineer? Have any experience on something bigger than a coffee shop?
Yes open source isn’t perfect, but it never fails to be corrected and generally faster than the paid boys.
It’s not my job to prove what takes 2 seconds to Google, I can send you a Google link if it’s too complicated for you…
Credentials you ask for…let’s just say Ive done your job, it’s boring and you show how green you are when you jump to fartsandcraps.
Depends.
Personal use I like the following, no order.
Unifi (if rich)
Opensense (I prefer pfsense though)
Untangle
Clearos
Roll your own
For business -
Unifi - up to a point.
Aruba
Pfsense (appliance with warranty and hot spare)
The rest can eat ducks honestly. When you look at function, ease of use, cost and long term stability I’ve yet to find better than the above.
While I like unifi, I only like it if it’s all that’s in use, no pinch hitting. Same with Aruba or any other garden provider. Unifi has its issues, but compared they are at best minor gripes vs real hurdles.
And before you say butmuh VoIP, that’s you, not VoIP, you don’t know how phones work if you blame a switch or network appliance for your bad sip implementation.
Are there better? Maybe, but as clean and functional? I’m still holding my breath. Again I’d love to say meraki or even fortunate are great, but they aren’t and I love how butthurt upsell sudo IT people get when I call it out.
Muh meraki has later 7…so has every appliance for nearly a decade.
Muh meraki can do 600mbps with all systems turned on…cool? Unifi does 3.5Gbps…with more turned on and features meraki can’t even offer…
I’m sorry I just can’t be convinced to like either…mikrotik is ok I guess.
But if I wanted to work in 2003 ui and function I’d just use pfsense and sleep at night.
Let’s see, hotels, education, medium and some large business environments, nationwide intranets, national VoIP services with call centers as a focus…resorts, other minor one offs, large scale wifi deployments including site to site air fiber communication…
You name it, outside ISP related equipment, I’ve probably done it before you figured out what a terminal was.
Then it’s pretty odd you’re claiming that cisco, fortigate,… are soooo much worse than open source equipment.