Is Pfsense a unified threat management (UTM) software?
-
I'm very new to pfSense and I'm evaluating whether to buy the Netgate SG2100
I have used SonicWall TZ400 before, it has unified threat management (UTM) features and can repel attacks from the internet. However, it is too expensive to maintain as UTM is not cheap.
Therefore I wonder whether pfSense provides UTM or not ?
such as web filtering, anti phishing and Anti virus /malware features?
Any comments are appreciated , thank you -
pfSense is a router and firewall. It can include UTM features via packages such as Snort/Suricata for IDP/IPS and Squid as a webproxy. Squid includes ClamAV but it can only scan what Squid caches so unless you are running full SSL intercept that isn't much.
Steve
-
@timlak said in Is Pfsense a unified threat management (UTM) software?:
such as web filtering, anti phishing and Anti virus /malware features?
To add on to what @stephenw10 has already said - there are also other ways to filter your examples there. DNS via the pfblocker can be used to filter fqdn to block websites that could be phishing or malware based on lists that can be used.
Or said lists can just be used to block IP of these bad sites. So while yes out of the box its just a firewall/router - depending on what packages or how you configure it could very much so be considered a UTM..
"Unified threat management (UTM) describes an information security (infosec) system that provides a single point of protection against threats, including viruses, worms, spyware and other malware, and network attacks. It combines security, performance, management and compliance capabilities into a single installation, making it easier for administrators to manage networks."
-
Thank you John and Stephen
I think PFsense is very good and invaluable and cost effective as compare to UTM features by other brands such as SonicWall , Fortinet , Sophos firewall appliances. -
As a corollary to the above, I'm thinking of buying SG 2100
with the additional 32GB storage SSD.With this specifications, I can add packages such as
- Suricata
- Squid
- pfBlocker
Will the said SG2100 specifications able to accommodate
such packages and their attendant bandwidth and storage demands ?
I'm only using it for my small home network of 3 computers,
and my needs are fairly basic and no external VPN access for my systems. -
@timlak said in Is Pfsense a unified threat management (UTM) software?:
As a corollary to the above, I'm thinking of buying SG 2100
with the additional 32GB storage SSD.With this specifications, I can add packages such as
- Suricata
- Squid
- pfBlocker
Will the said SG2100 specifications able to accommodate
such packages and their attendant bandwidth and storage demands ?
I'm only using it for my small home network of 3 computers,
and my needs are fairly basic and no external VPN access for my systems.You may not have enough RAM to run all that. You need RAM as well as disk space (the disk space is for logs and the Squid cache). There is another user posting here on the forum with exactly the problem of having more rules in Snort than he has room in for RAM when including the RAM used by Squid and pfSense itself. That other user was not using pfBlocker either, and still was hitting a RAM limit. With those packages, you are asking a lot of an SG-2100.
-
@bmeeks Thank you
Then what model should I buy and able to accomodate all these packages ? SG3100 ? -
Or can I increase the RAM in SG2100 ?
-
@timlak The 3100 has only 2 GB RAM as it is 32 bit and older. The 6100 has 8 GB. They only offer the 2100 with 4 GB so it doesn't appear to be expandable.
-
I would get at least the SG-6100 to run all of those packages you listed.
Or maybe reconsider your package list. None of those are really absolutely necessary in a home network. Keep your clients well patched and up-to-date with security fixes, and just exercise some basic Internet caution, and you should be fine.
-
It's possible to run all those packages in 2GB or RAM but I would not recommend doing so.
You have to tune them carefully to avoid exhausting the RAM. You cannot just enable all the signatures and lists in each and expect that to work.
I run Snort and pfBlocker-ng in a 3100 as my edge here. But I use only basic ad blocking in pfBlocker and only the ET Open sigs in Snort (not in blocking mode). With that setup I could probably also run Squid (very carefully). But I would not!last pid: 2837; load averages: 0.67, 0.60, 0.62 up 5+18:13:34 16:40:10 81 processes: 1 running, 80 sleeping CPU: 0.0% user, 0.4% nice, 0.6% system, 0.0% interrupt, 99.0% idle Mem: 140M Active, 1285M Inact, 223M Wired, 84M Buf, 344M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 52379 root 2 40 20 271M 248M bpf 1 182:38 0.73% snort 73496 root 1 52 0 129M 49M accept 0 1:22 0.00% php-fpm 3052 root 1 35 0 129M 49M accept 1 1:56 0.00% php-fpm 67066 root 1 52 0 129M 47M accept 0 1:11 0.00% php-fpm 42460 root 1 52 0 129M 47M accept 0 0:49 0.00% php-fpm 81284 root 1 52 0 129M 46M accept 1 0:47 0.00% php-fpm 38356 root 1 52 0 127M 46M accept 1 1:29 0.00% php-fpm 45364 root 1 52 0 126M 44M accept 1 0:02 0.00% php-fpm 12066 unbound 2 20 0 61M 40M kqread 0 23:14 0.00% unbound 70717 root 1 20 0 46M 36M nanslp 0 3:57 0.04% php 1390 root 1 20 0 89M 29M kqread 1 0:16 0.00% php-fpm 4115 root 17 52 0 42M 21M sigwai 1 4:47 0.01% charon 34517 root 157 20 0 64M 16M uwait 0 1:06 0.00% filterdns 19905 dhcpd 1 20 0 13M 10M select 0 0:41 0.01% dhcpdThat's with next to no traffic passing.
However this may be a moot question since the 3100 is now EoS and unlikely to return. You would have to find one second hand at this point.
Steve
