Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | [4] | 5 | (show all)   Print Thread
Standard User zzing123
(learned) Wed 07-Nov-18 16:38:46
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
Especially when most commercial vendors use, package and help maintain said open source stuff. Ubiquiti for example is almost entirely prepack OSS. And pfSense is almost entirely a commercial operation now. Microsoft has their own Linux distro and SQL Server works on linux. The point being commercial vs. open source is a very blurry line. Thank god though that everyone seems to standardise around things like OpenSSL, Suricata and the important bits and contribute to them jointly for everyone's benefit: OSS and Commercial.

The reality of the matter is the support contract and SLA is definitely a required business model for companies, but increasingly it's a holistic solution on bigger bundles of items. Dell recently sold our gullible managers a VX Rail, but it's paid over 5 years with an iron clad support agreement inclusive of everything from hardware to VMWare patching and the related SonicWall appliance (yes, I had no say in the matter <sigh>).
Standard User caffn8me
(eat-sleep-adslguide) Wed 07-Nov-18 17:37:16
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
At which point you might as well save yourself some dosh, and get say a Ubiquiti EdgeRouter 4 or equivalent Mikrotik for less cash that is fanless and lower power and for which support does not run out in three years time rendering the device useless.
I use EdgeRouters but they don't have the transparent drop-in capability of WatchGuards so would require a reconfiguration of the setup - something which the OP wanted to avoid. Now it seems that bridge mode is possible, that's not an issue.

I'm not sure what you mean by 'useless'. All basic security functions of a WatchGuard continue to work after the licence expires - including things like application proxies, NAT, WAN load balancing etc. As a security device they're still more sophisticated than any of the Ubiquiti devices - even with an expired licence.

What you do lose is the ability to update in the event of a significant security bug or to add new features. Things like gatweay antivirus, geolocation blocking and spam filtering require an additional subscription beyond the basic support package so don't come as standard on the lowest priced support options anyway.

I would avoid Mikrotik completely given the poor history of security, the results of which I have experienced first hand. When I posted that I'd identified four compromised Mikrotik routers, there have been quite a few more since. Just looking at today's firewall logs I see this has been compromised and is probing my connections. I shall be reporting this to the ISP later.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Michael_Chare
(fountain of knowledge) Wed 07-Nov-18 17:50:27
Print Post

Re: Network security devices


[re: zzing123] [link to this post]
 
Thank you for your interesting post. I have managed to buy a 2nd hand 4 port ethernet card which I will try in an old E6600 based PC with pfSense.

In some ways my problem is that I have been able to keep my Gigaclear G10 contract which has a 10Mbps min speed and a theoretical maximum of about 940Mbps up and down. It would be a pity to install a firewall that slows this down to much!

A PC Engines APU2c4 would cost me about £200. A faster option is a Qotom Q355G4 with an Intel i5 processor and wifi. This would cost about £300 imported.

What was your motive for having a firewall?

Michael Chare


Register (or login) on our website and you will not see this ad.

Standard User zzing123
(learned) Wed 07-Nov-18 19:38:50
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
The PCEngines is way too underpowered for IPS, but just about OK for gigabit. The E6600 with a server adapter should be pretty much OK for IPS. Meanwhile the Qotom has AES-NI that will help accelerate VPNs if you use them. The Qotom was chosen by Ars in their 'Homebrew 2.0' router: https://arstechnica.com/gadgets/2016/04/the-ars-guid... - but trust me, messing with iptables like he does is seriously long grey beard stuff.

I would start with the E6600 and go from there. If it's not good enough, then an ebay buyer gets lucky.

Why I have a firewall? Mainly to separate my home lab stuff (I deal with a lot of cloud tech) and ensure the missus doesn't have her telly and Facebook time interrupted (that would cause injury). Cloud tech involves a lot of VLANs, VPNs and various SDN tech which needs a router that can handle it. If I used a proper cloud like AWS I'd be racking up several grand in bills every month. The IPS is not only good for filtering security, but it's also very good at detecting when an app is misbehaving too, because if you do anything funky with network protocols, it'll pick it up.

As for the missus, she is blissfully unaware that her 4K autobinge sessions on Netflix is protected by enterprise security, and in the meantime, fq_codel is making sure that her iPhone is the first to go 'ding'.
Standard User jabuzzard
(member) Fri 09-Nov-18 13:46:32
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
In reply to a post by ukhardy07:
I agree with you in the main until the last line...
A vendor who is paid significant sums is more likely to patch security vulnerabilities and often is enforced with SLAs. I see relatively few organisations with a solid grasp of software composition analysis where they utilise open source.


Right so that worked out really well for the multi billion dollar company that is Broadcom

https://www.theregister.co.uk/2018/11/08/upnp_spam_b...

What five fricking years they had a known exploit and didn't fix it.

Then Cisco do this

https://www.theregister.co.uk/2018/11/08/cisco_dirty...

Not sure the paying people to do the development is really working out in making it more secure. Then there is the seven hard coded back doors in Cisco products in recent years, and I am not just beating up Cisco, Juniper have had there own issues on this front.

As we are talking network gear hear, again when have pfSense, OpenWRT or VyOS suffered from this sort of issue?

I have been running open source servers with permanent always on internet connections for over 20 years and not been compromised once. I have a robust policy of patching mind you.
Standard User jabuzzard
(member) Fri 09-Nov-18 13:57:00
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
Because the day the security updates stop is the day you need to stop using the device. It might still function as before, but imagine it is one of the long list of devices that was effected by Broadcom's uPnP issue that won't be getting an update because it's obsolete.

https://www.theregister.co.uk/2018/11/08/upnp_spam_b...

If you are not getting vendor updates you can't expect to continue to operate in a secure manner for very long. Worse once an exploit becomes know you are now looking at procuring hardware to fix the problem, which is generally a lot slower than installing a software update. As such no updates makes a security device useless and three years is not very long for such an expensive device.

I note that all the Mikrotik issues are down to people not patching in anything remotely like a timely manner...
Standard User caffn8me
(eat-sleep-adslguide) Fri 09-Nov-18 15:59:20
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
the day the security updates stop is the day you need to stop using the device
No. In a home use situation, the day you need to stop using the device is the day that a remotely exploitable vulnerability is announced that cannot be patched.

If the device cannot be exploited remotely, I would suggest that for the vast majority of home user's, that's secure enough.

Yes, it's nice to have the very latest fixes, but for the average home user, an expired enterprise class firewall will provide very much more security than the standard ISP router.
In reply to a post by jabuzzard:
I note that all the Mikrotik issues are down to people not patching in anything remotely like a timely manner...
My issue is that they have such a severe bug in the first place, it is remotely exploitable, and it is being actively exploited on a large scale.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User broadband66
(knowledge is power) Fri 09-Nov-18 18:01:04
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
Still using XP on two machines with software firewall and antivirus.

No issues!

Paranoia can take over.

Was Eclipse Home Option 1, VM 2Mb & O2 Standard
Now Utility Warehouse (up to 16mbps) via Talk Talk
Standard User caffn8me
(eat-sleep-adslguide) Fri 09-Nov-18 18:48:36
Print Post

Re: Network security devices


[re: broadband66] [link to this post]
 
I was recently in the cockpit of a current and active military aircraft. One of the computers on board runs a version of Windows which is well past its use by date.

Paranoia can be healthy but a proper assessment of the risks based on careful examination of the facts is a better approach smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User broadband66
(knowledge is power) Sat 10-Nov-18 09:23:08
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
One can have the latest technology but common sense when downloading and opening emails still goes a long way.

Risk assessments don't stop accidents.

Was Eclipse Home Option 1, VM 2Mb & O2 Standard
Now Utility Warehouse (up to 16mbps) via Talk Talk
Pages in this thread: 1 | 2 | 3 | [4] | 5 | (show all)   Print Thread

Jump to