Looking for ideas for revamping my network security setup. What does your firewall/IDS look like and how much does it cost?
tl;dr: Basically I want the features of Sophos UTM for >50 IP addresses without spending several thousand dollars per year. What have you
Bit of a background first. I have a fairly decent lab setup. From-scratch NAS in a 4U Supermicro case. An R900 and a 2U Supermicro both running Proxmox for virtualization. Nortel 5520 switch. And a C1900 board running SOPHOS XG for my routing and security. I have about a dozen or so VMs running at any given time. Sometimes much more depending on what I'm doing.
Here's what I've tried so far for security:
pfSense is alright but once I started attempting to add things like IDS with Snort/Suricata or inband virus scanning it quickly started to break. I realized it would take a lot of handholding to keep pfSense up and running the way I wanted it. I'm looking for something a little bit more graceful. I'd also much prefer a Linux base over BSD. Nothing against BSD, GNU/Linux is just what I know and sometimes I need to get my hands dirty.
I loved Sophos UTM when I was running it, but quickly went up against the 50 IP limit with VMs, servers, mobile devices, media devices, etc. There's just no way to keep my network that small with what I do. I would like to just get a Sophos UTM license, but I can't seem to find any solid options for home or even small business use. I really like the web application firewall in UTM because I host some custom-built web apps that I use as well as Owncloud and some other handy web apps on my local network.
Sophos XG is what I'm currently running and I hate hate fucking hate it. There are so many features and good design practices missing from it vs UTM. The log viewing is shit, the UI is annoying and unintuitive, and the way firewall rules are managed is a huge step backwards from UTM.
The list of features I'm after:
- Inband virus scanning
- OpenVPN with compression support
- Deep packet inspection with SSL support
- Some form of IPS/IDS
- Web cache
I have some ideas for getting around my limitations but they all have drawbacks and there are so many options I don't have the time to test them all out one by one and they all have potential downsides.
I could put Sophos UTM in front of a NAT so there's only 1 IP. That really kills a lot of the fine-grained control it provides on a per-host basis though so that's a huge step backwards. I could use multiple UTM installs behind multiple NATs but that would be a nightmare to manage.
I've considered going with Ubiquiti hardware but I'm having trouble selling myself on their features. I have a Ubiquiti AP that's nice but but the firewall in the routers may not be enough for me. From my reading it appears that when you try to do anything slightly advanced (for this subreddit's skillset anyway) you lose the MIPS hardware acceleration, tanking the performance. The Controller server also seems buggy as hell and unreliable so far. They also don't offer any in-band antivirus. I could run an EdgeRouter behind a separate security appliance running something with a virus scanner like Sophos and other services to fill the gaps in the EdgeOS software, but if possible I'd like to keep it a bit more contained than that.
This page lists Sophos UTM licences but I'm not sure what their defition of a "user" is. Is that IPs like the Sophos UTM Home uses for limitation? That wouldn't make sense as many machines in an environment wouldn't be "users" but servers. Are those just users covered by the endpoint protection? If so, I don't need any endpoint protection and I could make peace with $215/yr for a full UTM license. Can anyone shed some light on this?
Then there's Untangle. $5/mo for the full package for home use but given their ridiculous restrictions for the "commercial" version ($600/yr for just 25 IPs) I feel like there has to be some sort of catch here. I'm currently testing out Untangle in a VM but it feels very much like second best behind Sophos UTM. Right now the setup wizard is just hanging at saving network settings.