Cool to see that you feel the same way as I just explained to my colleagues that filtering should be handled on the endpoint and not in the firewall. This a couple of months ago.
I have been having a nightmare with filtering in an environment where management wants everything blocked and select sites accessible. In my case, it involves a Fortigate, which, once you install its CA to the endpoints, is quite good about it. Issues remain surrounding certificates that span wanted and unwanted services though, with Google's one for itself and RUclips being a prime example. Besides that, opening a site up leaves the issue of inaccessible dependencies like scripts, etc, that need to load from other sites, including CDNs. So the end user may have access to the site, but everything is broken until one inspects and discovers all the other sites the browser needs to load from for it to work (there may be a better way, but I'm yet to find it). This gets especially bad when different pages have different dependencies. To top it all off, opening access to CDNs for some dependencies gives the headache of unwanted sites, etc, on the CDNs, also becoming accessible when they shouldn't be... it's nuts and I hate it.
I already have a good 8 places to post this to off the top of my head, and I assure you I will send many more people over to this video as the time goes by. Thanks!
thank you tom for this vidoe, I just wanna say thank you for all your great content over the years, It has taught me alot over the last 3 years I just wanna say thank you going for my JNCIP-SP this week, I just wanna say thank you for all your great content, not the smartest dude but your vidoes are fun to watch and easy to work along side with you and build out from there, I build my first every truenas system because of your vidoes on True Nas just though I would say thank you for the years of great content and can't wait for many more years of content from you.
This aligns with what I've been thinking as well when it comes to content filtering. We have been hesitant to implement decryption on our Palo Alto fw because of the challenge to maintain the certificate and deploy it and then needing to Manage and monitor the filtering from PAN-OS. I'm sure it's manageable with larger teams of people but we're a small team at my org so something like an endpoint solution seems like a better fit if that's a road we ever intend to travel.
You can use a single host cert across multiple firewalls in a wildcard fashion with either manual push or auto through AD Cert services. Not that difficult to maintain. Vendors APIs make this even easier if you're into config automation.
@@RobbyPedrica Thanks for the context, definitely not outside the realm of what I can personally do but sadly I only have a team of 3 including myself, a new-to-IT helpdesk guy, and my boss (our director). Even if I were to set something like this up nobody else on my team would really be inclined to maintain or replace the cert when it expires as they're not particularly keen to certificates or managing our Palo Alto HA FWs. Definitely a strong consideration for the future when we have more sysadmins at our disposal though. Just kinda trying to keep the environment manageable should I ever choose to move along for the time being which is something we all deal with I 'spose.
@@RobbyPedrica that’s no small feat! I’m In a role currently wearing all the hats for a convenience store chain with almost 100 locations and trying to keep the machine oiled has been a lot. Automating manual processes has been a must and I’ve honestly just been learning every day.
So in my experience for small business and or the family home in my case, I have combining the speed of suricata/snort and Adam:One Dns pfsense plugin. It has been really effective in applying certain devices in the home or office with different policies that can be applied in terms of what websites could be visited. I havent seen it fail, but I most certainly havent implemented it in a commercial sense for any my clients. Imo the next step I am considering seeing I feel i have outgrown my pfsense was to shift to a palo vm, which I have managed to build on great compute specs and only forced to pay 4k for 3 years. I havent done it yet because, as I mentioned, its 4k, sigh. The certificate thing can be automated across most NG firewalls today in terms of renewal and even for deployment to endpoints. But not something I'd recommend, cus down time even at home, is NOT A HAPPY HOME. My home is my lab, don't do that, I warn most. What I am really looking out for in terms tech, is the emerging DDI and IPAM Saas products becoming more and more accessible in price to the midmarket and special interests groups such a hybrid dev houses and automated containerised services that are infra and cloud agnostic.
What would you suggest for schools and churches that want to offer an open guest network, but also want to block torrents and adult content on it? Putting certificates on devices is not an option so would the best approach be something like OpenDNS or Untangle?
Hey Tom, thanks for all the great videos...i know how you feel about firewalls that's not open source but I think sophos xg does a very good job at this. And there's a free version...
What are your thoughts about DNS security services like Cisco Umbrella? Managing some of these issues by controlling/filtering DNS inside the firewall is the only way we were able to cover these types of needs across Chromebooks, PC, Mac, iPads, iPhones, Android, etc., by controlling what the endpoint devices were able to lookup and connect to. pfSense restricts users to use our filtering DNS servers. No WFH users on these particular deployments, making it simpler to enforce.
I don't like the idea of being locked to a particular vendor solution. Changing out the software via software loaded on each endpoint is easier to manage.
![[#2024MAMA] G-DRAGON - 무제(Untitled, 2014)+POWER+HOME SWEET HOME+뱅뱅뱅+FANTASTIC BABY | Mnet 241123 방송](http://i.ytimg.com/vi/Ox29z5Nf1Uk/mqdefault.jpg)
Cool to see that you feel the same way as I just explained to my colleagues that filtering should be handled on the endpoint and not in the firewall. This a couple of months ago.
I have been having a nightmare with filtering in an environment where management wants everything blocked and select sites accessible. In my case, it involves a Fortigate, which, once you install its CA to the endpoints, is quite good about it. Issues remain surrounding certificates that span wanted and unwanted services though, with Google's one for itself and RUclips being a prime example.
Besides that, opening a site up leaves the issue of inaccessible dependencies like scripts, etc, that need to load from other sites, including CDNs. So the end user may have access to the site, but everything is broken until one inspects and discovers all the other sites the browser needs to load from for it to work (there may be a better way, but I'm yet to find it). This gets especially bad when different pages have different dependencies. To top it all off, opening access to CDNs for some dependencies gives the headache of unwanted sites, etc, on the CDNs, also becoming accessible when they shouldn't be... it's nuts and I hate it.
I already have a good 8 places to post this to off the top of my head, and I assure you I will send many more people over to this video as the time goes by. Thanks!
Excellent content here Tom. I think this should answer a lot of the questions you get on the forums and on the vlog.
Thanks again
Absolutely agree. Tom's every content is straightforward, sticks to the point and helps the community. Keep it coming!
thank you tom for this vidoe, I just wanna say thank you for all your great content over the years, It has taught me alot over the last 3 years I just wanna say thank you
going for my JNCIP-SP this week, I just wanna say thank you for all your great content, not the smartest dude but your vidoes are fun to watch and easy to work along side with you and build out from there, I build my first every truenas system because of your vidoes on True Nas
just though I would say thank you for the years of great content and can't wait for many more years of content from you.
So far Arista does the best CF I have used yet!
HTTP/3 that is based on QUIC, is supported for DPI inspection in v7.2 of FortiOS.
Thanks
Great information with a touch of granularity. I'll be checking out you're recommendations about those software solutions.
This aligns with what I've been thinking as well when it comes to content filtering. We have been hesitant to implement decryption on our Palo Alto fw because of the challenge to maintain the certificate and deploy it and then needing to Manage and monitor the filtering from PAN-OS. I'm sure it's manageable with larger teams of people but we're a small team at my org so something like an endpoint solution seems like a better fit if that's a road we ever intend to travel.
You can use a single host cert across multiple firewalls in a wildcard fashion with either manual push or auto through AD Cert services. Not that difficult to maintain. Vendors APIs make this even easier if you're into config automation.
@@RobbyPedrica Thanks for the context, definitely not outside the realm of what I can personally do but sadly I only have a team of 3 including myself, a new-to-IT helpdesk guy, and my boss (our director). Even if I were to set something like this up nobody else on my team would really be inclined to maintain or replace the cert when it expires as they're not particularly keen to certificates or managing our Palo Alto HA FWs. Definitely a strong consideration for the future when we have more sysadmins at our disposal though. Just kinda trying to keep the environment manageable should I ever choose to move along for the time being which is something we all deal with I 'spose.
@@joshsmith4998 I personally look after around 1200 firewalls. With the right tools, volume is irrelevant and difficult becomes easy.
@@RobbyPedrica that’s no small feat! I’m In a role currently wearing all the hats for a convenience store chain with almost 100 locations and trying to keep the machine oiled has been a lot. Automating manual processes has been a must and I’ve honestly just been learning every day.
So in my experience for small business and or the family home in my case, I have combining the speed of suricata/snort and Adam:One Dns pfsense plugin. It has been really effective in applying certain devices in the home or office with different policies that can be applied in terms of what websites could be visited. I havent seen it fail, but I most certainly havent implemented it in a commercial sense for any my clients.
Imo the next step I am considering seeing I feel i have outgrown my pfsense was to shift to a palo vm, which I have managed to build on great compute specs and only forced to pay 4k for 3 years. I havent done it yet because, as I mentioned, its 4k, sigh. The certificate thing can be automated across most NG firewalls today in terms of renewal and even for deployment to endpoints. But not something I'd recommend, cus down time even at home, is NOT A HAPPY HOME. My home is my lab, don't do that, I warn most.
What I am really looking out for in terms tech, is the emerging DDI and IPAM Saas products becoming more and more accessible in price to the midmarket and special interests groups such a hybrid dev houses and automated containerised services that are infra and cloud agnostic.
What would you suggest for schools and churches that want to offer an open guest network, but also want to block torrents and adult content on it? Putting certificates on devices is not an option so would the best approach be something like OpenDNS or Untangle?
Untangle is a popular solution for that.
zscaler is an okay product that lives on the client device. I agree that client-based solutions are far more superior than something on the edge.
Hey Tom, thanks for all the great videos...i know how you feel about firewalls that's not open source but I think sophos xg does a very good job at this. And there's a free version...
That fw needs HUGE resources to run ! EWW
The new XGS model is a lot faster also. For the price it’s a really great firewall.
What are your thoughts about DNS security services like Cisco Umbrella? Managing some of these issues by controlling/filtering DNS inside the firewall is the only way we were able to cover these types of needs across Chromebooks, PC, Mac, iPads, iPhones, Android, etc., by controlling what the endpoint devices were able to lookup and connect to. pfSense restricts users to use our filtering DNS servers. No WFH users on these particular deployments, making it simpler to enforce.
We prefer endpoint management over DNS filtering.
Would be good if you would review Firewalla gold.
It's a consumer device that I currently don't have time to look at.
Have you tried out cloudflares zero trust solution? Seems interesting to me because it has pretty granular control and its free for smaller customers
I don't like the idea of being locked to a particular vendor solution. Changing out the software via software loaded on each endpoint is easier to manage.
I tried it, and the problem with cloudflare is that location data is selectively given up, its not zero trust if you cant even do the damn basics.
Neither Saaslio nor Zorus provides transparent pricing on their website.
I think it's $3/month/device. At least is what a Google search shows.
Just realized that untangle is part of Arista now.
Excellent video.
Web filtering is most difficult to manage.
untangle has decent filtering for schools and such. looks like Arista owns Untangle.. wonder when that happened!@
They bought them earlier this year
Filterd ,, stay safe
4:46 "but before we get into how we solve that solution.." hmm....
Yeah, 2nd comment 😁. Hi Tom.
So .... no real solution that is free and open source?
Not aware of anything
I might trial Saaslio, Zorus seems like overkill for home use.
First