Easy Time Sync

[Patrick M. Hausen]

UTM is the current model. Debating that goes into the realm of philosophy or strong opinions which does not lead us any further on this platform. I run all my OPNsense firewalls as UTMs. If I did not I would pick a different product. The value of OPNsense is exactly that it can run all the essential infrastructure services. A layer 3 switch can do "firewalling" without anything else. Just a pain to manage.

[BrandyWine]

If I were to do that, I would not use OpnSense as the router/firewall at all. OpnSense's value lies in that it can do most fo the "gateway" work for sake of it being a full Unix-like machine. If I wanted to separate all of the services like DNS, DHCP and such out, there sure were some more specialised appliances for that, but frankly, those are more or less applicable in enterprise-grade installations, like Patrick said.

Then again, for small and medium businesses and home lab users, OpnSense alone does the trick and why should I convolute a fully working setup by using two OpnSense installations?

It's the balance between bad model UTM and better security.
You can have "UTM" with all the services bundled on one device, just as they are available from free OPNsense, but install that onto a 2nd mini pc. It's no different than starting up a new host/server that's not a vm so those services are always available. Plus, you'll be taking abuse off the actual fw NVMe SSD, so it will last longer. ;)

Not very convoluted at all.

[BrandyWine]

UTM is the current model. Debating that goes into the realm of philosophy or strong opinions which does not lead us any further on this platform. I run all my OPNsense firewalls as UTMs. If I did not I would pick a different product. The value of OPNsense is exactly that it can run all the essential infrastructure services. A layer 3 switch can do "firewalling" without anything else. Just a pain to manage.

Yes, choosing the UTM model sacrifices security. So easier to manage, less security. There's no argument to be had there.

Installing another OPNsense as UTM on the lan still provides the services you need, and access to those services has fw in front of them. You can then take out all of the non-fw services from actual fw, leaving actual fw to do fw-only work. So you still have all the UTM services w/o sacrificing edge security.

Thus far we're just talking about the non-sec stuff (dns ntp dhcp, etc). We still have vpn, ids/ips, etc. I prefer those services to run somewhere else too, many times in a dmz behind fw. But, there's "UTM" again to save everyone, just run fw,vpn,ids-ips on one device. It's just cruddy to take down inet access when an issue in vpn or ids requires a reboot of fw.

"UTM" used to be only sec services related (fw, vpn, ids-ips, etc). Now it has morphed into sec and non-sec services. Again, ok for mgmt reasons, but sacrifices sec risk. Layered security is and has always been a better model than UTM.

Obviously I am no fan of UTM, at least not when deployed as edge security.

Anyways, cron ntpdate, or ntpd -q with some config, keep time good. I took the easy route that works. ;)

[meyergru]

Two machines = more firewall rules to redirect traffic to a second machine, two configurations to backup, twice the hardware or multiple VMs (which I dislike for FW appliances for security reasons) ... need I say more?

We are not talking security architectures for large enterprises or high-value targets like banks (which I have developed myself) where you use redundant systems from different vendors to rule out specific platform weaknesses than UTM systems could have.

BTW: If that were the target, two OpnSenses were a bad choice (tm).

Again, besides the point and purely philosophical and has little to do with the initial approach.

[BrandyWine]

Two machines = more firewall rules to redirect traffic to a second machine, two configurations to backup, twice the hardware or multiple VMs (which I dislike for FW appliances for security reasons) ... need I say more?

Yep, just two, basically identical, one with non-sec services, they other w/o. Not that hard.

Rules for NTP, DNS, DHCP? So maybe 5 inbound access rules on LAN port. You could also just create one rule to allow local nets access to the local non-sec services. DHCP would hand out settings for 2nd device LAN IP for DNS NTP, etc. Nothing really to configure at all, and, you can then manage those services w/o worrying about touching the edge fw. I always cringe when I hear admin say "hold on a sec, I need to update a dns setting, let me ssh into the fw to do that". Another benefit, when new version of OPNsense come out you can install it on the 2nd device 1st, if that goes well then install on actual fw. Update NVM on 2nd device 1st, try out new ZFS setting on 2nd device 1st.

Shall we visit the versions forums, "I upgraded and now it's hosed, unbound not working, won't boot, upgrade is stuck in infinite loop".

I can Pros & Cons all day. ;)

The 2nd device is not gonna be doing much routing of anything. Client services stay on LAN port, any outbound traffic will be from the device itself (updates, dns query, getting NTP sync update, etc).

[Greg_E]

All of this discussion changes if you move into PTP, no local clocks are solid enough to keep the tolerance over a several hour period. And PTP is another security measure that some places are rolling out, if you aren't on time, you get no access to the requested resource. Also becoming the default sync for audio and video over IP. SMTPE ST2110 leverages PTP heavily, not for security but for signal sync. This replaces things like BlackBurst and Tri-level sync and since it's adaptive, it's more accurate and finer grained too.

Kind of of topic, but something people in IT should be thinking about incase they ever work on system at a TV station. https://blogs.cisco.com/industries/take-your-st-2110-workflow-to-the-next-level