Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | 4 | 5 | (show all)   Print Thread
Standard User Gerbil
(newbie) Mon 05-Nov-18 21:15:41
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
Well that's just bizarre. I signed up to bridge mode as a £5 a month addon less than two weeks ago and it activated within about two minutes with my Draytek router showing that it was picking up the Gigaclear external IP via DHCP. Now having seen your message I've checked the Gigaclear portal and it's now showing as a zero cost option that I have enabled.

Gigaclear seem to be a bit disorganized.
a) I've not received an email telling me that they now were giving me bridge mode for free
and
b) they're telling you that you have to wait for something they managed to activate on my line in about two minutes flat.

Have you checked https://portal.gigaclear.com to see whether you can order it?

Edited by Gerbil (Mon 05-Nov-18 21:17:45)

Standard User Michael_Chare
(fountain of knowledge) Mon 05-Nov-18 23:29:27
Print Post

Re: Network security devices


[re: Gerbil] [link to this post]
 
I agree that Gigaclear are a bit disorganized! It took me two attempts to get a sensible answer. I believe that I could place an order I think for £5pm. As it is I am waiting until they me that the free service is available for residential customers. They have promised to advise me.

One issue is what I would have down stream of the bridge. I would quite like a box running pfSense. The challenge is to find something that will pass data at say 900Mbps but is not to expensive. I quite like the Qotom products, but they come from China and I would possibly have to pay customs duty, VAT and a customs processing fee.

Michael Chare
Standard User ukhardy07
(knowledge is power) Tue 06-Nov-18 19:00:09
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
I just want to add my two-cents into this discussion, when you implement opensource you run the risk that it is compiled from one of a multitude of random repositories, often as things are compiled the developer is not performing adequate checks for security vulnerabilities. This makes ensuring that opensource code is secure quite challenging. Within an internal network, this is less of a concern as the chance of exploitation is somewhat restricted... For a firewall, this becomes the first line of defence and is internet facing, as such you want to ensure you are guaranteed to receive adequate security patching on a permanent basis. You also need to be ready to check for vulnerabilities, patches, and perform updates to address any critical/high vulnerabilities ASAP. With opensource there are no guarantees patches will be released for vulnerabilities / loopholes in a timely manner.

I would assume if you are looking to implement this technology, you have some concerns and want to protect something internally?

Edited by ukhardy07 (Tue 06-Nov-18 19:01:50)


Register (or login) on our website and you will not see this ad.

Standard User Michael_Chare
(fountain of knowledge) Tue 06-Nov-18 22:41:24
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
In reply to a post by ukhardy07:
I would assume if you are looking to implement this technology, you have some concerns and want to protect something internally?
I don't really have that much! I do get many 'Hello...' emails with a link that I avoid. I do wonder where they originate from and what they might do.

Cost is a factor. Firewall vendor supplied hardware really needs a software maintenance contract to ensure that it is kept up to date and that tends to be expensive for a domestic situation. pfSense with Suricata is a cheaper alternative. I would think that the official Netgate version of pfSense is fairly secure.

Michael Chare
Standard User jabuzzard
(member) Wed 07-Nov-18 09:49:50
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
At which point you might as well save yourself some dosh, and get say a Ubiquiti EdgeRouter 4 or equivalent Mikrotik for less cash that is fanless and lower power and for which support does not run out in three years time rendering the device useless.
Standard User jabuzzard
(member) Wed 07-Nov-18 13:51:01
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
Not that load of utter rubbish that open source is not secure again. Let's see has OpenWRT had hard coded back door accounts? Nope but a certain market leader beginning with a C has. The idea that pfsense , VyOS or OpenWRT are not secure is a complete and utter joke. Anyone spouting that sort of rubbish should not be taken seriously.
Standard User ukhardy07
(knowledge is power) Wed 07-Nov-18 14:08:27
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
I disagree, I have worked with a number of high profile forensics cases where organisations have been compromised and this has resulted in exposure of mass customer personally identifiable information (PII). The underlying root cause has been opensource applications, with vulnerabilities not patched by the opensource community.

You only have to perform a quick google search to find instances where 100+million customers details have been compromised, and forensic investigators pointed towards opensource applications as a root cause. I will leave the argument here.

Given the choice, I would choose a vendor product with guaranteed support over opensource, although I do appreciate opensource is very valuable and should not be disregarded.
Standard User zzing123
(learned) Wed 07-Nov-18 15:38:13
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
There's a good guide explaining how to do No-NAT filtering on Multi WAN and Multi LAN with pfSense here: http://blog.martinshouse.com/2012/01/multi-wan-multi... and as if it's any surprise, the blogger is using AAISP which would be the path of least resistance in terms of ISPs.

Irrespective of the Multi-WAN and LAN the blogger uses (which I expect you won't need), the transparent filtering via 2 ports in bridge mode on the router is exactly what you'd need.

If/when Gigaclear do allow you to bridge the device so their router is relegated to just modem duties, then pfSense can be reconfigured to handle the WAN directly - I don't know what Gigaclear use, but I expect it'd be PPPoE which pfSense can easily handle too, however the filtering doesn't change all that much.

In terms of the security related stuff, the thing you'll want is to use Suricata, which pfSense has as a package. This is quite a pain to set up (here's a video guide: https://www.youtube.com/watch?v=KRlbkG9Bh6I), and will take a week or so of trial and error to 'bed in'. Security is never an 'on/off' switch.

Now while just about any hardware can handle 1gpbs WAN and routing, doing full IPS (intrusion prevention) is entirely a different matter in terms of performance.

To give an example, the £250 Ubiquiti USG Pro-4 is a great dual-WAN router and can easily handle 2x 1gbps WANs. However, for Suricata (IPS), it only boasts 250mbps of IPS throughput. The cheapo USG, only 85mbps. To get the full 1gpbs of IPS throughput, you need the £2,000 USG-XG, which otherwise does 8x 10GbE routing.

It'll be the same with pfSense: you'd need the £2,000 XG-1541 (same spec as the USG-XG) to do Suricata at 1gpbs. However, if you can compromise, I suggest getting one of the mid-range pfSense boxes like the XG-7100 or if you can find one, what I use, the SG-4860. These use the Atom C2000/C3000 processors which are more than adequate. I've not benchmarked the maximum speed of suricata on these machines, but I can say that it's not a bottleneck on 2x 80mbps FTTC lines. However, I did spend £500 for the privilege of having a proper firewall.

You can peruse all Ubiquiti and pfSense hardware at their UK distributors: https://www.msdist.co.uk/ubiquiti and https://shop.amicatech.co.uk/hardware/pfsense.html
Standard User jabuzzard
(member) Wed 07-Nov-18 15:57:49
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
And I have seen commercial software hit by zero day vulnerabilities. All the issues I have seen of the sort that you have raised have been fixed upstream but patches have not been applied.

A recent commercial software with issues was Mikrotik routers being hit, oh but it was patched by the vendor months before it was being exploited. All software has bugs, and all software is likely to have zero day vulnerabilities whether it is commercial or opensource. You just have to have a policy of applying patches in a timely manner.

To suggest that open source is inherently less secure is uninformed rubbish.
Standard User ukhardy07
(knowledge is power) Wed 07-Nov-18 16:27:09
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
I agree with you in the main until the last line...
A vendor who is paid significant sums is more likely to patch security vulnerabilities and often is enforced with SLAs. I see relatively few organisations with a solid grasp of software composition analysis where they utilise open source. I also see very few organisations with solid inventories enabling them to identify open source vulnerabilities and patch. Fact is open source is overlooked far more often and patches can be hard to come by at times. You rely on the community far more.

Organisations have a real risk with open source and it is a challenge the industry is trying to overcome.

& Of course zero days exist, that's beside the point here. Vendor products have security loopholes, which to my point require patching.
Pages in this thread: 1 | 2 | [3] | 4 | 5 | (show all)   Print Thread

Jump to