Link to home
Start Free TrialLog in
Avatar of Tyler Roy
Tyler RoyFlag for Canada

asked on

Can Unifi APs match security of FortiAPs? Does the security offered by FortiAPs justify the massive cost difference?

Does anyone know where there would be some best practices posted about how to properly secure Ubiquiti Unifi Access Points while using a Fortinet Router? We are looking at setting this type of system uo instead of going with the far more expensive FortiAPs. Is the additional security claimed by FortiAPs worth the massive jump in cost?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Glad you asked.  An Access Point is an Access Point. The difference is the number of concurrent connections that the AP can handle (the cpu/netowking internals horsepower). They really don't have security it is the router/firewall that provides the security. What you give up is the one pane of glass to manage the network by mixing manufacturers.  (don't forget the licensing fees that if not paid turn the hardware into bricks)
Avatar of Tyler Roy

ASKER

Wow, that is 100% what I thought. It's weird, I was looking at the specs of some of these high priced (and licensed) models and the security they boast are normally things I would attribute to a router sniffing packets and comm lines throughout it's visible scope. I do truly appreciate your assistance on this. I got to say, the money spent on just finding colleagues with Experts Exchange continually pays for itself 100s of times over. Thank you again.

P.S. I am currently working my way through the network controller software, which I love. But I did see Unifi has a network controller device and is not that expensive. Would you say it's worth it? Currently I'm just using a Windows Server VM to host it.
For the basics the Unifi USG/Dream machine are fine. I use pfsense/opensense for more than the basics.  Again another pane of glass to work with.  The routing/firewalls are IMO Unifi's biggest downfall as they are under powered i.e. IDS/IDP/|Tails will cut your throughput a lot.  So a Netgate 4100 is more than sufficient for most medium sized businesses with IDS/IDP enabled.  Or just use a virtual machine.
An Access Point is an Access Point.

Wrong!

Different APs can support different standards, frequencies, encryption methods, intelligence protocols, etc. That isn't all done at a controller, for example.

They really don't have security it is the router/firewall that provides the security.

Again, wrong.

UTMs may be able to "do Wi-Fi" and control APs, but even then the security isn't at the router/firewall. For example, with Cisco enterprise APs controlled by a WLC you can deploy ACLs at the AP itself for imposition on client traffic, or even apply SGTs to client packets before they hit the wired network (if you use FlexConnect or Fabric).

The OP asks:

how to properly secure Ubiquiti Unifi Access Points while using a Fortinet Router
and
Is the additional security claimed by FortiAPs worth the massive jump in cost?

Both questions are valid and can be answered in many ways. Using an AP/WLAN system from one vendor whilst using a different vendor's router/firewall is a common scenario. As long as you follow best-practices it doesn't matter what the combination is.

Using an all-in-one solution can be advantageous in some scenarios, and that might make the Fortinet solution attractive. Sure, if you use all their gear you can do some pretty comprehensive stuff, but not a lot more than you could do in a multi-vendor environment. If you want a single pane of glass for management though you are often forced into single-vendor solutions, but even then sometimes it's not that easy.
Craig: Your answer is valid but not in the context of this question. Which is
Can Unifi APs match security of FortiAPs? Does the security offered by FortiAPs justify the massive cost difference?

cisco enterprise solutions are at a price level much greater than the askers environment.

with Cisco enterprise APs controlled by a WLC you can deploy ACLs at the AP  At what price for Catalyst AP's and what licensing cost? We are comparing SMB products not Enterprise products. Specifically Fortinet vs Ubiquiti.

Cisco/Ruckus do have their  use case scenarios

WIFI6 is a great upgrade to the WIFI  standard, unfortunately a majority of the devices are still limited to 2.4G and transitioning to 2.4G/5G and the older standards..

Only really new devices support the 6Ghz band and addon adapters  2.4/5/6Ghz   are double the price of 2.4/5 adapters.

I would be overjoyed when IOT devices all supported WIFI6 but I don't see that in the near future. (Chicken/Egg Problem)

as for  encryption methods, intelligence protocols only if the client ALSO supports it. if my adapter/ tcpip stack only supports 3DES then the WAP also has to support 3DES and not AES-1024  (just an example not a real world item)
Perhaps you were thinking of A/B/G/N/AC
Craig, thank you for your insight into this. Unfortunately I think I might be missing something. It sounds like the mixing of Fortinet with Unifi is a somewhat normal process, but I am still concerned that that security Fortinet says their APs are imbued with is a major benefit over that of Unifis. The Fortinet will run all packet inspection regardless of which AP. And if the APs are segregated via VLANs to increase security (corporate from guest), is there a sufficient justification to spend several times the amount of money per access point? I'm sorry if I missed something in your post.
I am sorry if my questions have caused some consternation amongst others. My main overall goal was to install new Fortinet routers at each of my 4 locations with a total of 30 access points which is possible with using Fortinet/Unifi. Going all Fortinet jumps that price tag considerably. I completely understand that this is not an "enterprise" environment necessitating the use of full Cisco style equipment (although I do run Catalyst Layer 2 switches), but I do want to make sure I get as secure an environment I can whilst staying within a budget I think is somewhat reasonable. And justifying that jump in cost is tough to do. (The jump is roughly 4x). My apologies again if I have caused any issues between the people helping me, which I great, greatly appreciate. Thank you again.
@David...

cisco enterprise solutions are at a price level much greater than the askers environment.

That's irrelevant. I was highlighting the fact that your statement "an AP is an AP" is incorrect.

At what price for Catalyst AP's and what licensing cost? We are comparing SMB products not Enterprise products. Specifically Fortinet vs Ubiquiti.

Again, irrelevant. Also, if you look at the Cisco Aironet vs Meraki argument, which squarely puts Meraki in the SMB arena, costs for APs are roughly the same.

unfortunately a majority of the devices are still limited to 2.4G and transitioning to 2.4G/5G and the older standards..

Not completely accurate. Most user devices are dual-band. IoT devices are mainly limited to 2.4GHz by design.

as for  encryption methods, intelligence protocols only if the client ALSO supports it

Again, wrong on some of that, and you kind of changed the context too. Things such as spectrum analysis are not client-focused features, but are built-in to APs in order to provide intelligence to the WLAN. Yes, encryption and authentication methods can only be used if the client supports it, but as I said, some APs support what others don't, so in the case of WPA3 as an example, that negates the argument that an AP is an AP as some don't support WPA3 at all.

Perhaps you were thinking of A/B/G/N/AC

No. Perhaps you're not aware that I'm actually a Wireless LAN Architect for one of the world's largest technology companies that is a Cisco and Fortinet partner.

Also, just for info, the FortiAP solution is actually what became of Meru, which wasn't a cheap solution - certainly nowhere as cheap as UniFi. At one point most people either went Cisco or Meru, depending on whether they fell for the single-channel architecture voodoo or not.


@Tyler:

The Fortinet will run all packet inspection regardless of which AP. And if the APs are segregated via VLANs to increase security (corporate from guest), is there a sufficient justification to spend several times the amount of money per access point?

If traffic hits the Fortigate firewall it can be inspected, regardless of the AP/switch that passed the traffic to it. Same for VLANs - it doesn't matter as long as the traffic gets to the Fortigate. If it were me I'd go with whatever APs I feel comfortable with and whatever router/firewall I want to use.
Fortinet says their APs are imbued with is a major benefit over that of Unifis.
and Ford says their cars are better than Toyota's :-)
What exactly are they saying is better?  Citation?

Tom at Lawrence Systems recommendations is not Ubiquiti as a Firewall due to its limitations that I previously discussed
User generated imagehttps://youtu.be/ZI7zt1Vf8vE
Forums features do you need and what do you want? How much do you want to pay?
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for all your feedback. I think the Fortinet option with Unifi Wireless is the approach I am going to take.
Pretty sure I said that?!
After reviewing your comment again, it looks like you both said essentially the same thing. I apologize; I think I got a little sidetracked with the bit of the back and forth between you and David.