The ZyWall UTM USG series [regardless of model] cannot and will not provide you with the throughput and protection that Untangle UTM can and will under heavy load assuming that Untangle is running on an appropriate hardware platform --- there is absolutely no comparison from a performance and protection perspective. Yes, Untangle UTM will be more expensive but from a Value Proposition perspective Untangle cannot be beat.Originally Posted by tezgno
That isn't the argument. This isn't about Zywall versus Untangle. As I have stated before, I am looking to replace the Zywall with something much better for the exact reasons you stated above. The issue at hand is regarding having to purchase the Policy Manager to accomplish what I do today using simple firewall rules. If that is truly the case (in which I'm still not sure because I'm seeing different answers to the same question; I won't be totally sure until my hardware arrives and I throw UT on it) then Untangle, with just the purchase of the Policy Manager in my environment, would be more expensive than alternatives to BOTH the Zywall AND Untangle. This is because the Untangle uses a "per device" licensing model. If I purchase the entire suite, then Untangle blows even my most expensive alternative to the Zywall out of the water. That is what I can't justify.
To obtain high performance in the inter lan routing in untangle, you MUST use bypass rules and lose the UTM functionality. Of course you can try with a quad xeon grade server, a lot of gigabytes of ram and of course intel nicīs.
Always think in untangle as a linux box with basic conectivity and a virtual machine at top, the UVM, this manage the rack and the aplications inside.
I ever make my design finding the best device (price/performance), but not ever can fit in only one, some times is better let a UTM work in was designed and some real gigabyte device for manage the core lan.
From my poor knowledge the only device that is near to fit all your needs is a cisco asa 5520 with the ips and trend micro modules >10000 U$S + annual suscription. Upsss, I forget the anti spam module, add the ironport
The world is divided into 10 kinds of people, who know binary and those not
I think you can probably manage this with the Lite and just firewall and packet filter rules. You'll just have to be diligent and careful about setting up the correct rules.
I'm assuming you separated those networks for a reason and would likely want to have different policies (in regards to Web Filtering, Bandwidth Control, etc) for different networks, thats where Policy Manager comes in.
Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
I think that there is a language barrier here because you are really not understanding what I am needing. I'm not looking for high performance inter-lan. What I am needing is strictly this:To obtain high performance in the inter lan routing in untangle, you MUST use bypass rules and lose the UTM functionality. Of course you can try with a quad xeon grade server, a lot of gigabytes of ram and of course intel nicīs.
Always think in untangle as a linux box with basic conectivity and a virtual machine at top, the UVM, this manage the rack and the aplications inside.
I ever make my design finding the best device (price/performance), but not ever can fit in only one, some times is better let a UTM work in was designed and some real gigabyte device for manage the core lan.
From my poor knowledge the only device that is near to fit all your needs is a cisco asa 5520 with the ips and trend micro modules >10000 U$S + annual suscription. Upsss, I forget the anti spam module, add the ironport
- Better performance WAN--> LAN
- Better performance WAN--> DMZ
- Better Performance DMZ--> LAN
The only inter-lan communication that has UTM functionality in my environment today is the DMZ--> LAN. And, if I can achieve performance of about 100Mbps or so, then that's a win for me (today, I can't even get 10). That's also a concern as well because when I switch ISPs, my internet bandwidth alone will make the Zywall useless for the WAN--> LAN communications.
The only internal
Thanks.
Sort of. Web filtering, bandwidth control, outbound blocking (i.e. SMTP except for the mail appliance) etc., are the same over all of the networks. The primary reason for the separation of each is:
- DMZ - Devices on this network can be accessed from the Internet. Essentially, I do not want a compromized box on this network to talk back to the internal network where we have critical data. So, all communication from the DMZ to the Internal network is blocked with the exception of specific IP-to-IP traffic.
- Dev Network - Devices on this network are all test machines testing software or testing server builds. Essentially, I do not want any traffic on this network coming back to the internal LAN so all traffic back to the internal network is blocked.
- Guest Network - This network is essentially the same setup as the Dev network. The only thing that I would like to do here is setup a Captive Portal so that when users connect, they login (don't have this today).
The network isn't like many businesses in which you have separate networks for separate departments or groups of users (we are not that kind of company or that large; we are an IT consulting company). Maybe at some point in the future, we may need the type of separation that is typical in many businesses. But today, our needs are not that complex.
Can be a language barrier, my natural lenguage is spanish and can misunderstund some thing.
But in your last post you delete the guest and development lans, and better is not a technician description. With the apropiate hardware sure can be better. How improved, really I dont know, maybe some partner with dedicated apliances can answer this.
The world is divided into 10 kinds of people, who know binary and those not
Yes, I didn't mention those lans in my post because those lans, today, do not have any UTM between them. The only UTM functionality that I have today is between the WAN--> DMZ, WAN--> LAN, and WAN--> Internal LAN. I would like to do it between the other networks, but I cannot afford to do it with my current system only able to actually push 5-10Mbps through it with UTM turned on. By "better," I'm referring to my problem... performance. I want something that offers me better performance than what my current unit can provide. As I also stated, if that better can be 100Mbps, then it's a win for me. Better, in terms of features, is subjective to the person. For me, UT offers better features than does my Zywall, but I'm not looking at UT for features alone as much as performance and cost.
Untangle will do as you ask.
Also, I will point out that the appliances Jim and I designed, that are displayed at www.untangleappliances.com are capable of operating at near wire speeds with the UTM features enabled.
Make no mistake, I have no reservations about saying that Untangle Lite will do what you're asking of it. It will provide you a superior feature-set to your current solution. However, I encourage you to take a hard look at the subscription offerings, they will not only give you even greater defenses, but save you a world of time while doing it. The premium subscription has paid for itself in every network I've deployed it on. Why? Simple, those networks don't get viruses anymore. PERIOD!
Get good well designed hardware, and Untangle will open the door to possibilities you didn't think were possible. I've been pushing this product past its limits for almost 3 years now, I have yet to find a real wall.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
I have no doubts that the subscriptions would be an awesome enhancement to the system. For me, it's more about the performance of the unit, how easy it is to work with, and how affordable the unit is. Being in the IT consulting world, we have a lot of partnerships with various vendors including a couple in the firewall space. But, the problem that we have is that most of those units come with features that, in our current environment setup, we would never use and it becomes hard to justify paying for those features if we are never using them. We are in a similar boat with the Zywall in that we are paying for features that we can't use because of performance issues.
I guess what I'll do is download the software, give it a go, and see how well it works before making a decision. I did check out the Untangle Appliance site and saw some of those offerings. That site is good because it helps me to compare the performance needs to the type of hardware needed. For example, it shows a Dual-core Atom at being good for about 20 users or so and the NG25 and NG50 being good for about 50 or so users (I'm assuming that those units are either running on high-end Dual-core Atoms or ULV Core 2 Duos). If that is the case, then what we would be using would be overkill in comparison (likely would be a Dell R610 or R710 with 8-16GB of ram and 143GB 15K SAS disks on a RAID 1) although I haven't actually made a decision on what hardware to purchase just yet.
Posting Permissions
LinkBack URL
About LinkBacks