Arista Edge Threat Management v17 Release Candidate (Untangle)

Sky-Knight · Jul 27, 2023

Time to disable upgrades again! This update doesn't much with kernel changes or anything usually dangerous, and I'm really happy to see the improvements coming. however...

Take a peek at the major features:

Version 17.0 of NG Firewall is now available for download from Arista Edge Threat Management dashboard.
This release includes:

Multi-factor authentication - You can configure a TOTP code to log into the local web administration as a secondary authentication method.
DHCP Relay - The DHCP server for LAN interfaces can forward DHCP requests to a remote DHCP server to centralize IP address assignment across a distributed network.
WiFi regulatory domains - You can assign the regulatory domain based on your selected region so that NG Firewall updates the list of available frequencies.
New WebFilter categories.
Persistent NIC mapping.

Note that one at the bottom...

If you have any manual configuration in this space, you're probably going to have to remove that to prevent conflicts. Also depending on how that upgrade slides in, it might break on the next reboot. So I'm suggesting a planned upgrade akin to a full kernel upgrade, have someone on hand to deal with it!

YeOldeStonecat · Jul 31, 2023

Soon as "hardware refresh" time comes for my clients, Untangles are coming out.....UXG's are going in. We're probably down near just 30 or so out of the out there in production....had probably close to a 75.
Had a great run with Untangle...started reselling it when it was...I think version 5.01. Nice MRR at 45% margins but...just don't want the time to support it, (updates/upgrades)..and sniffing HTTPS/SSL is less and less effective. Shifting over to PDNS for this..combined with 365's Defender....I'm more pleased with that.

Sky-Knight · Aug 1, 2023

@YeOldeStonecat You'll note that Nexgen has no new hardware to sell... for all of those reasons and so many more.

There's just no reason for the traditional UTM anymore, unless the insurance company demands it and if that's happening the answer is Sonicwall or Fortinet because they have superior liability protection. (better lawyers)

And of course... I'm rather tired of Untangle under whatever name they use this week... being TWO YEARS behind on critical things. Like the NIC swapping problem... that I warned them about a year in advance, turning into a bug that sat there for two years... it's just not acceptable.

JoelM · Aug 1, 2023

YeOldeStonecat said:
Soon as "hardware refresh" time comes for my clients, Untangles are coming out.....UXG's are going in. We're probably down near just 30 or so out of the out there in production....had probably close to a 75.
Had a great run with Untangle...started reselling it when it was...I think version 5.01. Nice MRR at 45% margins but...just don't want the time to support it, (updates/upgrades)..and sniffing HTTPS/SSL is less and less effective. Shifting over to PDNS for this..combined with 365's Defender....I'm more pleased with that.

Do the UXG's support setting up VPN's like Untangle? Both site to site and client access?

Sky-Knight · Aug 1, 2023

JoelM said:
Do the UXG's support setting up VPN's like Untangle? Both site to site and client access?

At the risk of sounding condescending... but I'm not intending to be...

WHO THE FRACK CARES!!!

VPN as a concept is no longer required once you cloud hard enough, and if you still have cause to use it you should be using a ZTNA tool. Which is super VPN with proper centralized monitoring and control.

I love Untangle as a VPN terminator, but I just don't need to terminate VPNs on anything but endpoints anymore.

Seriously, save what's left of your hair... put the VPN down and never pick it up again!

YeOldeStonecat · Aug 1, 2023

JoelM said:
Do the UXG's support setting up VPN's like Untangle? Both site to site and client access?

Yes....
ALL of the Unifi gateways support:
IPSec
L2TP
OpenVPN

...and Ubiquiti recently released their new "Site Magic VPN" which is a wicked easy SDWAN to set up. Just 1 of the sites needs a public static IP, all the others can be dynamic and even behind NAT themselves.

And the UDM Pro/UDM SE supports Wireguard.

HCHTech · Aug 1, 2023

Sky-Knight said:
if you still have cause to use it you should be using a ZTNA tool.

Do you have a tool you like for this? Maybe an ELI5 summary? I saw the Sonicwall announcement last year for their offering, but it as usual, not enough information is given unless you get their hard-sell demo. Zero-Trust is definitely a buzzword these days and I suspect it means whatever the various vendors decide it means...for them...

YeOldeStonecat · Aug 1, 2023

HCHTech said:
Zero-Trust is definitely a buzzword these days and I suspect it means whatever the various vendors decide it means...for them...

It sure is. Toss in another acronym for it..."SDP"...which gets tossed around mixed with ZTNA...they both fall under the same broad umbrella.

Has more traction in much larger corporations. Heavy handed approaches are trying to get it down into the SMB realm...but typical SMB clients wallets aren't ready for it yet...has quite a hefty "per user per month" cost. When we're used to VPN being...in most cases..."free"...already included with the biz firewall sub.

I had been using ZeroTier for a bit...which I've seen called a ZTNA...but I don't believe it's a ZTNA, it's just a modern version of a software defined VPN network...sorta..."mesh VPN" via virtual NICs. Still gives FULL access to the other network you connect to.

I do want to check out CloudFlares version....

Zero Trust Network Access (ZTNA) | Zero Trust

Implement a software-defined perimeter with Zero Trust principles. Learn how to give your users faster, safer, contextual access to corporate resources.

www.cloudflare.com

Blues · Aug 1, 2023

Most things I have seen and read with regards to ZeroTrust I see already implemented in large business or impractical for smaller businesses. Mostly I see where in big business it isn't used it is that they aren't using as seamless and fully integrated solutions as a proper ZeroTrust which provides minimal if any improvement in security it can at best streamline the security process and procedures.

Sky-Knight · Aug 2, 2023

Yeah, the buzzwords are really thick.

But I can connect the dots for those that haven't kept up.

If you VPN hard enough, you're SDWAN'ing, if you SWWAN hard enough you're SDLAN'ing, if you're SDLAN'ing hard enough you're software defined networking, and if you're software defined networking hard enough you're ZTNA'ing or... SASE'ing... these two things are interchangeable terms and the use of one or the other pretty much reveals which vendor you're more comfortable with. I use ZTNA because to me is a better label, and most people just don't get Secure Access Service Edge... But Zero Trust Network Access is something that stake holders have a better implicit understanding of during conversation.

ZeroTier isn't a ZTNA tool, to become a ZTNA tool it needs VISIBILITY tools. It seriously lacks these at the moment. It does qualify as a SASE tool though.

However, as a product and platform it offers many benefits over traditional VPN. Central and easily updated controls, a client that's available via various marketplaces including the Microsoft store... which makes installation and configuration completely scriptable via powershell. This includes client updates over time. (Did I mention users can get themselves connected with a preformed email worth of instructions? Which in turn boil down to click this link, run this signed installer, and join this network named bleh by clicking here.)

The platform provides superior security to traditional VPN because the authentication happens during enrollment, and controlled by the admin to authorize a list of semi-trusted devices, and then you can use the paid version to hook to Azure AD and do MFA protected user level authentication over the top of even that. And while you're doing all of this, you're creating a VPN mesh network that function just like a layer 2 managed switch... you never have to think about NAT, public addresses at all... nor are you dependent on a specific hunk of hardware somewhere being online. You can use it to eliminate the need for Azure VPN terminators, and all similar cloud features... which saves REAL MONEY while you're at it.

It's a huge deal.

More developed MSPs will enjoy using tailscale or zscaler more because those tools are ZTNA tools, they do all of the above but provide integrations for reporting, content control, anti-malware and more.

Microsoft will have a tool in this space soon, I don't have any details about it because of the impending release of CoPilot. Cloudflare has their SASE product too. There are no shortage of vendors in this space, and they allow you to simplify "VPN" into software on endpoints and servers, with a uniform ACL. Allowing you to run services "publicly" with at very least an authorized client list.

The solution is vastly easier to use, and less fault prone due to its lack of hardware dependence. Which in turns lends itself to greater security just because of the simplicity and reduction of moving parts. ZeroTier is a great one to learn on, again due to its relative simplicity AND for SMB clients it's utterly free for the first 50 devices. Which covers entire clients in freemium when you need it.

Arista Edge Threat Management v17 Release Candidate (Untangle)

Sky-Knight

Well-Known Member

YeOldeStonecat

Well-Known Member

Sky-Knight

Well-Known Member

JoelM

Active Member

Sky-Knight

Well-Known Member

YeOldeStonecat

Well-Known Member

HCHTech

Well-Known Member

YeOldeStonecat

Well-Known Member

Zero Trust Network Access (ZTNA) | Zero Trust

Blues

Well-Known Member

Sky-Knight

Well-Known Member

Similar threads