Work Network - Two WAN firewall boxes in series

R

Rock&Roll

[H]ard|Gawd
Joined
Oct 22, 2000
Messages
1,888
So, we're working with a consultancy which is proposing we install a SonicWall primary firewall ($700) and an untangle firewall ($700) which will both be daisy chained on our incoming internet connection.

So I'm told, they "offer double layered protection." To me just looks like they wanted to have the SonicWall act as the active firewall while having the Untangle box act as a services box for Captive Portal, proxy, etc...

In my mind, setting up a old PC of ours with some server grade gigabit nic's and PF Sense would cover all of our needs for a much lower cost. I'm not an instant believer in "double layered protection."

Is there any reality in what they're saying about "double layered protection?" Or are they just avoiding charging us for Sonic Walls advanced features?
 
Rock&Roll said:
So, we're working with a consultancy which is proposing we install a SonicWall primary firewall ($700) and an untangle firewall ($700) which will both be daisy chained on our incoming internet connection.

So I'm told, they "offer double layered protection." To me just looks like they wanted to have the SonicWall act as the active firewall while having the Untangle box act as a services box for Captive Portal, proxy, etc...

In my mind, setting up a old PC of ours with some server grade gigabit nic's and PF Sense would cover all of our needs for a much lower cost. I'm not an instant believer in "double layered protection."

Is there any reality in what they're saying about "double layered protection?" Or are they just avoiding charging us for Sonic Walls advanced features?
Click to expand...


Depends on your needs. Untangle is better at content filtering than sonic/pfsense, so if that's what you are looking for then it would make sense.

We ran untangle here for a year, but the one time I had a problem configuring an IPSec tunnel, I was sent to their documentation on it with some sample configurations (which didn't work for me), and was told if they didn't work then there was nothing they could do. Definitely not work the 1k a year for the licenses, so we moved back to pfsense. We have other options for content filtering that work anyway.
 
Depending on the business and what regulations they fall under they may not have a choice.

I have Sonicwall at work and Untangle at home.

Yes, PFsense can do all of that, so can Untangle on it's own.

You never know, they might just have data thats worth protecting for $1400 a year.
 
Really depends on exactly what they're doing with each box, but it's not immediately the stupidest thing I've ever heard of.

I've seen a few places that do a redundant (CARP or similar) "master gateway" that does major threat mitigation, traffic shaping, QoS, etc - then the "access" router(s) do content access control, VPN, proxy, etc.
But if they're stacking them to duplicate the "same" tasks, that would strike me as a bit off.
 
untangle has major UTM features..

It looks like they are splitting the firewall from the UTM.

Sonicwall is a good L2 firewall device. Evidently it can perform L3 routing as well, but you'll take a hit to the performance if you do.
 
Innocence said:
Really depends on exactly what they're doing with each box, but it's not immediately the stupidest thing I've ever heard of.

I've seen a few places that do a redundant (CARP or similar) "master gateway" that does major threat mitigation, traffic shaping, QoS, etc - then the "access" router(s) do content access control, VPN, proxy, etc.
But if they're stacking them to duplicate the "same" tasks, that would strike me as a bit off.
Click to expand...

AFAIK, services on the two boxes do not duplicate. Each has a limited role. Untangle is for content filtering. SW as main firewall. And we don't have a backup ISP if our main one goes down, so failover isn't a concern. (We don't host anything internally anyhow)
 
You must log in or register to reply here.
Back
Top