Small business firewall recommendations?

criz p. critter

criz p. critter

Silver Member
I'm setting up a Nextcloud server at my home to replace the MacOS server (housed at our company office) that we used in-house, pre-Covid. There are only 3 users and we need to sync/share Adobe Creative Cloud files. We all work remotely now, and access the office server via VPN, but it is deathly friggin slow. In addition to doing design work, I handle all the IT, so it is up to me to make this happen.

In the past I have used a Linksys LTR214 VPN firewall/router to protect my home network and split it into 3 VLANs for work/personal/wireless, but that appliance is very old and the firmware has not been updated in over a year. Given that I’ll be hosting my company’s files, I need much more protection against increased hacking and attacks that occur these days.

The company office network uses a SonicWall TZ270, and I’m pretty familiar with their Sonic OS7 interface, but I’d like to find a firewall for my home Nextcloud server that didn’t require such a hefty subscription cost for SonicWall security suites. So I’m looking for a firewall that will offer enough protection without a subscription, or with a more reasonably-priced subscription. I’m pretty much a seat-of-the-pants kind of IT person, so I’d prefer that the UI isn’t hugely complicated.

I need a firewall that can handle gigabit speeds and that has 2 or more LAN ports. My research has narrowed my choices down to these three, in order of my (not-that-well-informed) preference:
Netgate 2100
Ubiquity Unify
Firewalla Gold

Any kind of advice from any drummer/IT folks on DW would be GREATLY appreciated!
 
We spec some of our customers at work with Ubiquiti UniFi kit (it's usually that or Cisco Meraki) and the UniFi systems are incredibly easy to learn. I'm not an expert in the installation of it but I've had to do some administration, etc. and it's highly intuitive.

I don't have any experience with the others, though.
 
Thanks! I looked at the Meraki, and it sounds great, but it only has 500mbps throughput.

So do you think the UniFi will be enough protection? My only experience with a real firewall is SonicWall, and they have super-comprehensive protection packages that I'm not sure I really need... and would prefer not to pay for if I don't!.
 
criz p. critter said:
Thanks! I looked at the Meraki, and it sounds great, but it only has 500mbps throughput.

So do you think the UniFi will be enough protection? My only experience with a real firewall is SonicWall, and they have super-comprehensive protection packages that I'm not sure I really need... and would prefer not to pay for if I don't!.
Click to expand...
I can't pretend to be an expert on firewalls so I'm just recounting what we install on our customer sites. I don't spec them or install them. They are highly configurable but I'm no means an expert. Is there a firm local to you that could spec this up for you?
 
I've been reading lots of reviews and watching youtube videos on the Ubiquiti products vs Firewalla Gold. The USG Pro looks more comparable to the Firewalla Gold, but it's rack mount and has a HD. More than I need. So I think I'm almost sold on the Firewalla. It's more $$, but my company is paying for it, and it looks like it's got everything I need and is simple to configure. Thanks again!
 
vxla said:
If there is budget, look at Palo Alto Networks 400-series devices. A PA-415 should do you well.
Click to expand...
Thanks for the suggestion, but this is more than I need, costs too much, and requires a subscription. If I was going to go that route, I’d get a SonicWall, as I’m already experienced with SonicOS.
 
criz p. critter said:
Thanks for the suggestion, but this is more than I need, costs too much, and requires a subscription. If I was going to go that route, I’d get a SonicWall, as I’m already experienced with SonicOS.
Click to expand...
That's cool. You could also do a homegrown firewall with OpenBSD and pf. Alas, you won't get layer7 inspection, etc. or some sort of linux variant that likely has a web interface for management.
 
I’m confused. Adobe Creative Cloud includes cloud hosting services out of the box right? So does NextCloud.

Why house a physical server at all? What’s the benefit of hosting at home vs keeping the data in the cloud?
 
Frank Godiva said:
I’m confused. Adobe Creative Cloud includes cloud hosting services out of the box right? So does NextCloud.

Why house a physical server at all? What’s the benefit of hosting at home vs keeping the data in the cloud?
Click to expand...
A question I ask myself with each passing day but there are some applications that have on-prem requirements. Sage accounting (for instance) needs to be locally installed and I wouldn't want to try and run a media creation company using cloud storage.

AzureAD is clearly and obviously the way forward for most businesses but a lot haven't quite got there yet. Of our customers, I'd estimate around 30% are running a full AzureAD service, with many running a truly hybrid system (with hybrid exchange servers and dirsync with an on-prem AD) and the remainder being too small to have to worry about such things or running a completely separate on-prem domain controller for local desktops and AzureAD/M365 over the top (so effectively two, unrelated accounts).

Proper cloud migrations are tricky and a bit expensive plus sometimes the cost of running Azure VMs, etc. can be much more expensive than running an on-prem server farm for RDS or similar. It's much easier to start cloud-based than it is to migrate.

AzureAD has huge advantages though and Conditional Access really should be a mandatory requirement if you're serious about opsec. It's also incredibly easy to set up - the only hard bit is communicating with the users!

In my ideal World, everybody would be running mostly SaaS solutions from platfrom-agnostic web applications with perhaps some AzureAD implementation for InTune device management. In fact, that's what the company I work for does and it works very well for us. I can't remember a single minute of proper downtime and if I lose my laptop tomorrow - no big deal. We're also a remote company without a central office so everybody works from home (except for our on-site engineer) and I've been on two site visits (one of which included a four-star hotel, which was nice).

For the record I work for a Managed Service Provider (MSP) and I'm officially an L2 Support Analyst but my job title will be changing to Technical Advisor soon as my job rôle is constantly changing and I'm involved in Service Delivery Management and trying as far away from the phones as possible...
 
vxla said:
That's cool. You could also do a homegrown firewall with OpenBSD and pf. Alas, you won't get layer7 inspection, etc. or some sort of linux variant that likely has a web interface
Click to expand...
Maybe for my next project! My IT experience for the last 20-odd years has been mainly Mac-centric. I occasionally work on on a Windows box, but find the experience leaves me wanting to slit my throat. I said in the OP that I'm a seat-of-the-pants kinda IT person, meaning I basically learn any new technology when and as it's needed. For example, 5 years ago, when my company needed to beef up its firewall, I learned how to use SonicOS. (With a few calls to SonicWall support, I should add... which is stellar.)

So the current project is building a NextCloud server on Ubuntu. I've played around a bit with Linux previously, and felt pretty confused with it. But now the need has arisen to learn it in earnest, and I'm surprise how well I'm doing. It's actually fun and exciting for me. I've got the server live and syncing with remote test users. I'm hoping to get all my hardware purchased and putting the server online by the new year.

But yeah, maybe next time I'll attempt my own homegrown firewall. Why not? Right now I feel I just need something off the shelf.
 
Frank Godiva said:
I’m confused. Adobe Creative Cloud includes cloud hosting services out of the box right? So does NextCloud.

Why house a physical server at all? What’s the benefit of hosting at home vs keeping the data in the cloud?
Click to expand...
As far as Creative Cloud, I use Adobe apps every day. I've been a user since Photoshop 2.0, but I despise what the company has become. So I'm only going give them the minimum amount I need to... which is $55/mo. But that only gives you 100gb of storage, and you can't organize it and you can't assume your data is secure.

I then checked out Microsoft's offerings. A business account would let me configure things, and I could pay extra to get enough storage. But MS products drive me nuts. There's such a unclear distinction between OneDrive and Sharepoint, not to mention Azure and more... And the documentation is so fractured and spread all over multiple pages and sites. It was taking me forever to learn its capabilities and the best way to configure it. I just came to the conclusion that I would need a consultant to set it up. Oh and once the intended users tried to use it they complained that it was too difficult to learn.

I was then heavily leaning toward using either Box or Snyc. Both looked simple to configure and use, and either choice would have been perfect, but by that time my boss had gotten involved and insisted that using a third-party service might violate our legal agreements with our clients. Same with using Nextcloud on an ISP or a rented server.

Once I found out I could build and host my own cloud server, I was all for it. But I needed a faster internet connection to pull it off. Voila! AT&T just installed fiber in my neighborhood. I was literally the first to get it installed.

Ask a short question... get a long answer!
 
Mediocrefunkybeat said:
A question I ask myself with each passing day but there are some applications that have on-prem requirements. Sage accounting (for instance) needs to be locally installed and I wouldn't want to try and run a media creation company using cloud storage.
Click to expand...
OMG man, you're making my head spin.
 
For most of your home needs, you won't need those subscriptions for Sonicwall, I'm also a fan of their stuff and have used it extensively. The subscription stuff is mostly extras like AV, spam, "deep packet" that kind of thing.

It functions fine as a firewall without any of it. And some of my customers didn't need to want to pay them in perpetuity.

I'm very disappointed they seem to be wanting to imitate meraki on the cloud setup garbage for wireless with the new gen stuff and have made it clear to the rep.
 
ubiquity is also a good choice for home stuff, but I don't like most of their routers and that kind of thing, I'm a huge fan of the wireless, and some of the switch gear, especially the stuff that's hardened for dirty "dangerous" environments like construction trailers and the like.
 
Dr_Watso said:
For most of your home needs, you won't need those subscriptions for Sonicwall, I'm also a fan of their stuff and have used it extensively. The subscription stuff is mostly extras like AV, spam, "deep packet" that kind of thing.

It functions fine as a firewall without any of it. And some of my customers didn't need to want to pay them in perpetuity.
Click to expand...
Thanks, Doc, that's good to know. My experience with SonicWall has shown me that I might still want the minimum 8x5 support contract. That's $99 a year. It's a complicated OS and I've had to resort to their help with more advanced tasks.
 
Dr_Watso said:
ubiquity is also a good choice for home stuff, but I don't like most of their routers and that kind of thing, I'm a huge fan of the wireless, and some of the switch gear, especially the stuff that's hardened for dirty "dangerous" environments like construction trailers and the like.
Click to expand...
As I said previously, I was really leaning toward the Firewalla Gold. But then did a bunch more targeted research that made me reevaluate all three of my original choices. I was really attracted to a Netgate appliance running pfSense, but turns out they dropped the one model that I would have chosen, the 3100. On the other hand, the Ubiquiti appliances I was looking at were a little low on the inspected throughput. But once I looked at the Ubiquity Dream Machine Pro (which is rated at 3.5gbps throughput, supposedly) and saw a video showing the whole UI, I was sold. It looks really easy to use, but I can configure it a lot more than the Firewalla, if I need to.

So, choice made: I'm ordering a Dream Machine Pro today. I'll report back once I've received it and set it up. Hopefully I'll have only positive things to say about it. Thanks everyone for their input!
 
criz p. critter said:
Thanks, Doc, that's good to know. My experience with SonicWall has shown me that I might still want the minimum 8x5 support contract. That's $99 a year. It's a complicated OS and I've had to resort to their help with more advanced tasks.
Click to expand...
I see you went with Ubiquiti which as I said is solid. They really are unmatched in the speed/throughput per dollar department, and the same goes with their wireless stuff which is really fast and easy.

In the future if you ever have a nagging question or need any help with a sonicwall, you can totally shoot me a PM and I'd be happy to give advice or explain how something works. Been using them for a long time now and the only times I've had to get support involved turned out to be bad devices (which they replaced with zero hassle); so I'm pretty versed!
 
Dr_Watso said:
I see you went with Ubiquiti which as I said is solid. They really are unmatched in the speed/throughput per dollar department, and the same goes with their wireless stuff which is really fast and easy.

In the future if you ever have a nagging question or need any help with a sonicwall, you can totally shoot me a PM and I'd be happy to give advice or explain how something works. Been using them for a long time now and the only times I've had to get support involved turned out to be bad devices (which they replaced with zero hassle); so I'm pretty versed!
Click to expand...
That’s very generous of you to offer! I may just take you up on it some day.
 
You must log in or register to reply here.
Back
Top