Netgate 1100 compared to Zyxel USG 100 Flex
-
Hi all
In your opinion and insight, do you think an Zyxel USG Flex 100 is more secure than
Netgate 1100 or maybe 2100?https://www.itpro.com/security/unified-threat-management-utm/359220/zyxel-usg-flex-100-flexible-gateway-security
Am thinking about among other functions like SSL Inspection, could Zyxel be better on that than Netgate? Can get Zyxel for 340-360 US dollars with 1 year UTM license.
And also Fortigate 40C without license for but it does have SSL Inspection function without license.
Which Firewall would you choose?
-
@netgate1100guy
Yes...Maybe No...The answer for sure is possibly. -
Yeah, depends on what functions you need, I need to inspect encrypted traffic and stop invisible threats among other things.
-
@netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:
inspect encrypted traffic and stop invisible threats among other things.
inspecting encrypted traffic is illegal in a lot of countries
what are invisible threats? -
@heper That also depend on if its a company or just a private user.
There is a hacker who uses VPN to hack me, encrypted traffic. -
@netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:
There is a hacker who uses VPN to hack me, encrypted traffic.
what does that even mean ? how would you be able to mitm them if you don't know them?
-
@heper VPN or virtual private tunnel, can seem like youre in other countries. I know who it is, Squid Guard alone does help, MITM seems to complicate things..
-
@netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:
squid Guard alone does help, MITM seems to complicate things..
how would squidguard help with any remote "hacking" and vpn's ?
are you sure you understand what is happening?
-
If you really want to do MITM [SSL decryption] then PF isn't the platform to do it in. Squid is just not a very good or supported feature.
I can't speak to Zyxel
Fortigate has numerous CVEs and a poor track record of discolsing vulnerabilities. Its a shady company in my opinion.
Before going the SSL Decrypt route you need to think long and hard about what is trying to be achieved. Much rather focus on endpoint protection than having the firewall take on the task but thats just me. -
@heper SquidGuard and/or Suricata or Snort blocks numerous IP-addresses all the time.
Am not so advanced user on this, but there is hacking going on for sure.Well, SquidGuard doesnt decrypt and Squid may not be great for SSL Inspection compared to Zyxel.
Want to become expert on this (am quite newbie).
-
@michmoor I see you use many advanced devices. Have understood that Palo Alto is good at decryption but are also expensive. Zyxel should be much better than PF, Zyxel model is from 2020.
-
@netgate1100guy
i just read parts of your other posts about the same thing....
you don't appear to take advise very well, but i'll give it another go.
-
squidguard does nothing against some external hacker
-
ssl inspection in general does not work when dealing with devices that you do not own/control
-
snort / surricata does not do what you think they do.
-
there are no firewalls/utm from any brand that can unencrypt data or somehow protect you from devil vpns
-
-
@heper Hi, okay.
Thanks very much another try.
Well, SquidGuard does block IP-addresses (but it does often block my own as well),
which is a config issue I guess.So SSL Inspection or even Netgate 1100-2100 cannot protect against a malicious VPN hacker?
What can protect me then? Live a life without internet maybe?Probably not, you have been here since 2010 so you should understand it far better
than me.Well with SSL Inspection, traffic is decrypted, inspected and blocks any detected threats
and traffic package is re-encrypted again before it reaches the computer. Am I correct here? -
Am I correct here?
no
Well, SquidGuard does block IP-addresses (but it does often block my own as well), which is a config issue I guess.
squidguard only blocks traffic from your computer towards the internet. it has nothing todo with traffic from the internet to your computer.
What can protect me then? Live a life without internet maybe?
life without internet would be great. one could only hope.
hunting for dodo's while running away from a t rex would be amazingWell with SSL Inspection, traffic is decrypted, inspected and blocks any detected threats
and traffic package is re-encrypted again before it reaches the computer.as i've said before SSL mitm inspection will only work with computers that you own or control.
you can not do SSL mitm inspection on devices that are outside your network -
@heper Hi and thanks.
This helped much. What can effectively block malicious traffic from the internet to
my computer? DNS Filter? Any other PF package as well.In general, what PF packages can protect against hacking?
-
@michmoor Hi
What PF packages can protect against hackers? DNS Filter?
Does SquidGuard or Squid do anything against hacking? (according to heper it doesnt)Will using 1.1.1.1 from cloudflare give protection?
Any kind of software, equipment or technology you know.
-
@netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:
What PF packages can protect against hackers?
Security is overall complicated and the solutions are varied. The most important thing is what you do. For home use, keep inbound ports closed on the WAN side. Keep user machines updated with the latest A/V.
If possible, put up some VLANs between your IoT devices and your desktops/laptops.
Basic security hygiene will prevent the majority of issues.As pointed out MITM is complicated enough for businesses so why do it in a home environment where there is little to no benefit?
-
@michmoor Cloudflare DNS has inherent firewall service so it seems good to use
(DDoS protection) and now I use link local IP address for IPv6 and that might help since its local.Because there are other ways to block hackers than just MITM or SSL Inspection.