think I could use my xenon e5-2683 v3? Planning on moving to TR4 anyways.
easily - it is overkill though
Last edited:
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
think I could use my xenon e5-2683 v3? Planning on moving to TR4 anyways.
Should be able to get in well below that. Also, there is no reason to do IPS on 100% of your traffic. Any IPS product of merit will have update costs. This is simply the way of things as these are in constant flux. I would also add that if you expect to receive any benefit of this of service you do need to be doing mitm on your TLS. If you are not going to do that don't waste your money on IPS.And a five-grand investment up front, plus whatever licensing is necessary for updates? If I'm reading it right- I wouldn't hesitate to use them for enterprise, but their buy-in for 2Gbps+ IPS etc. is hefty.
Any IPS product of merit will have update costs. This is simply the way of things as these are in constant flux.
I would also add that if you expect to receive any benefit of this of service you do need to be doing mitm on your TLS. If you are not going to do that don't waste your money on IPS.
Honestly, staying on top of the mitm stuff is just a fair amount work .... new, seasoned professional or grizzled old curmudgeon. Does it need to be done? I think so but, others may argue. Make no mistake it is a giant PITA. FWIW at home I run a fortigate 201E with a fortiswitch 448D and a pair of AP I bought off craigslist to load balance a 1Gbps fiber connection and 400Mbps docis connection with pretty much every feature checked. The fw doesn't break a sweat ever. I double the throughput and it still would not an issue. One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this and take that load under consideration when sizing a FW. The switch and AP I picked up for less than $500. They have no support and never will. The gate was bought used off of ebay while still under support. I also bought an extended support license off ebay at a major discount to maintain support. I just looked and I see several decent deals on similar hardware now. If you went that route you would want to make absolute certain the seller agrees to transfer the devices to you via forticare. Full disclosure ... Please note that none of ebay deals are mine or anyone that I know. That said, I will eventually get around to posting a fortigate 60E + switch, not big enough for you OP, on ebay. I also do not work for fortinet. I do work with their gear, and most every other major enterprise level firewall provider, at work.Yep update costs for the signatures etc. ET pro and Oink pro are still costs
I agree with the TLS comment, but again it’s a fair amount of work for someone new to it.
One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this and take that load under consideration when sizing a FW.
Everyone is entitled to their own opinion and you certainty won’t cop flak from meI felt the need to expand on this. Over the years I've taken a fair amount of heat on this forum for my generally disparaging remarks on consumer router/firewalls.
I'm a little overloaded reading all these posts. I never knew about a lot of this stuff and TLS/MITM are new acronyms to me. I did however go ahead and order the netgate xg-7100 1U since its in my price range and seems to be good enough for me. Also had 10gb SFP+ ports so I can get a 10Gb switch. I got it with the 256gb SSD and 24gb RAM as Keljain suggested.
One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this
I'm not even sure if TLS/MITM can be done transparently to the point that it doesn't wind up breaking other stuff.
Honestly this is a basic assumption of network security. WPA2 isn't secure, therefore, traffic traversing wireless networks requires more security.
Beyond phones that are dual-homed by nature (if not run that way purposefully), the potential vectors that IoT devices expose pretty much necessitate more lower-level segregation and inspection. An untapped market for home users, in my opinion.
all that is needed is intuitive GUI.I think TLS/MITM can be done transparently to the user, but I am open to being corrected on that
Untapped market for sure, but how to get it to be easy enough for home users is a challenge in and of itself.
It can certainly be done transparently assuming the correct certs are installed on the machine. One of the bigger issues that come up are applications by certain vendors that don't want anyone to know what they are doing, f**king microsoft chief among them, that use embedded certs and break when the server cert is replaced by the proxied connection. This means exceptions have to created and maintained. Frankly, CIOs and CSOs need to put a stop to this kind crap with a very simple mantra to the effect of all traffic on our networks will be inspected or it will be off our network.I think TLS/MITM can be done transparently to the user, but I am open to being corrected on that
Untapped market for sure, but how to get it to be easy enough for home users is a challenge in and of itself.
piHole is a 'hole' unto itself- worth taking a bit of time to get familiar with,as you've already seen.