Untangle Throughput

[Tech Savvy]

Hi guys!

I have a client that is in need for a firewall, I've been a Cisco guy since day 1, so I recommended an ASA 5516 because it's IPS has a throughput of 450Mbps. But it costs me 2000$ and they only have 7 computers on the network. On the quote I charged $2200 which is fine and they went with it, but I'm trying to do whats best for them and possibly explore Untangle to save some money. Since it is so highly spoken of on TN.

Their speeds from the ISP are 400 down and 40 up. So I didn't want the firewall to be the bottleneck.

Untangle is always mentioned here, so I checked them out, but it doesn't say the throughput for certain UTM features like the Cisco data sheets provide. I was wondering if anyone has some insight on this.

My client doesn't need the web content filtering or anything. Just IPS and malware protection pretty much.

Also they would need 3 interface ports: inside, outside, and DMZ( cameras)

So my question is which model of Untangle appliances would suffice for their network without being a bottleneck? Also, is the throughput of Untangles IPS and Anti-malware protection high enough to not be a bottleneck?

I appreciate any help you can give me.

Thanks
Kev

@YeOldeStonecat @SkyeKnight

 

[HCHTech]

There is no way that an enterprise firewall is NOT going to slow down the traffic some, it's the nature of the beast. That 5516 sounds like a beast, though. I'll bet if you look at the usage specs, it's rated for a couple of hundred users (I'm lazy and didnt' look it up). I do Sonicwalls and the model at that price point is similar. You are a better salesman than I am to get a 7-person company to spend 2Gs on a firewall!

I'd say your markup is a bit lean. Is your price wholesale?

 

[Sky-Knight]

Untangle isn't the question, the platform is the question. I've got Untangle doing multi-10gbit interfaces at wire speed. The UTM does inject performance issues, but when you go with one like Untangle you put hardware in place to counter that and wham... wire speed. That's the Cisco problem, they lock you into hardware that's out of sync with your device scope. Going with a software based UTM and giving yourself hardware freedom resolves this problem but opens a new can of worms too.

To get 400mbit consistently you're going to need at least an i3 CPU, and 8gb of RAM. You also need good network interfaces, I'll say it here just like I've said it on the Untangle forums for years... Go Intel or go home.

Now, will you save money? Probably not.

If you were to purchase the appliance I provide for this need, you're out $1,209.99, then you have to put the subscription on top another $540 / year for the complete bundle up to 25 devices. No links because no solicitations, just saying there are vendors out there like me that offer an alternative to the official appliances. And in this specific case, you're talking to the original Untangle Appliance vendor. I've simply been at this game longer than Untangle has specifically for Untangle. Heck, they are selling platforms that are based on stolen designs of mine... not that it was Untangle's fault, I need to sue Caswell / Portwell, but I've got better things to do.

Anyway, this solution is almost gigabit capable, the appliance will last literally forever with scheduled hard disk swaps, and you get a UTM not only vastly superior to the ASA you're comparing against, but simple enough the office manger can work with it if you're not around.

If you want the official Untangle appliance that will do this, you're looking at the u150. And you'll have to buy it without a subscription and get the sub separately to get down to the 25 device bucket. The key here is you need an appliance with more guts than an Atom, those things top out around 200mbit, some can get to 300... but you're really splitting hairs and setting up room to fail. It's all based on what type of traffic, and how much you scan. Getting an i3 based system ensures you just install it and it works, not to mention gives room for growth over 5 years into a gigabit internet connection.

Finally, IPS is only useful if they are hosting servers in house, most people aren't at that size so that's a useless feature even from Cisco. The AV functionality of Untangle is limited to unencrypted transfers without SSL inspector, honestly this is also a waste of time and energy. You use content control to keep browsers away from bad downloads, you don't bother scanning them. So yes, you need Content Control. If you want to do the full SSL man in the middle thing Untangle with the subscription provides two different AV engines for FTP, FTPs, HTTP, and HTTPs file transfers.

P.S. I am working on a new line of hex and oct celeron based devices, these are gigabit capable and actually cost less than the Atoms I offer now, the designs just aren't ready yet and we're working on a timescale of months with the manufacturer so I have no idea when they'll be ready.

 

[Frick]

Check out a Sophos XG 115. It will do everything you need, has manufacturer support and warranty, and is under $600 (much less if you are a partner).

While I like untangle, rolling your own mean you are the warranty provider. Do right by your clients and get them fully supported hardware.

 

[Tech in SC]

I like Sophos as well. For Untangle hardware, if you search Untangle on Amazon there are some decent multi-nic devices that work well for small environments.

Sent from my SM-G955U using Tapatalk

 

[Markverhyden]

What is driving the requirement to keep the full 400/40mb pipe @Tech Savvy? The customer or you?

To be honest I have a hard time believing that 7 users, typical office uses, would notice anything if it was cut even 50%. Of course, if they are serving out of their space then I can see where they want the full 40mb for upload.

 

[YeOldeStonecat]

Told ya Rob would give you the answer....I got lucky with my guess in the PM to you...i3 and 8 gigs. I just prefer the horsepower of a full proper desktop CPU versus the little Atoms.

I also toss a vote for NexgenAppliances for the hardware platform..they use full little industrialized PC platforms, not chinsy little cheap things. And their support is great. We've been Untangle resellers since version 5...and we've worked up to "Star Partner" level with Untangle a few years ago (highest they have)..we have a lot of Untangle units out there, we've tried many different hardware platforms and I'm happiest with NA's.