Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User Michael_Chare
(fountain of knowledge) Mon 08-Oct-18 22:42:06
Print Post

Network security devices


[link to this post]
 
Are there any security devices that you can put between your router and the rest of your network that don't leave you with double NAT?

Michael Chare
Standard User camieabz
(sensei) Tue 09-Oct-18 16:48:36
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
A hardware firewall perhaps?

Failing that, there's always some old school security - https://ibb.co/k0Gfyp

grin
Standard User tdw42
(regular) Tue 09-Oct-18 17:19:53
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
It is possible to do transparent layer2 (ethernet) firewalling/packet analysis, etc., but it is uncommon. More usually the device would operate at layer3 (IP) and rather than it doing NAT you would add a static route on your router to direct return traffic to the new "clean" network.

For example, if the WAN router had a LAN address of 192.168.1.1/255.255.255.0 you could set the security device input connection to 192.168.1.250/255.255.255.0, default gateway 192.168.1.1 and output connection to 192.168.2.1/255.255.255.0, then add a static route on the WAN router of 192.168.2.0/24 via 192.168.1.250 - all of your clients would have 192.168.2.x addresses and the single NAT is still carried out on the WAN router.

Note that some of the ISP supplied routers have crippled user interfaces so you can't do this, and if they have inbuilt wireless that traffic wouldn't be handled by the device.


Register (or login) on our website and you will not see this ad.

Standard User Michael_Chare
(fountain of knowledge) Tue 09-Oct-18 22:24:39
Print Post

Re: Network security devices


[re: tdw42] [link to this post]
 
Thank you for the reply. Unfortunately the Gigaclear router, which I have to use, does not support static routes.

What I would like is a box that inspects and checks the packets that I send to and receive from the Internet. The box would be updated with the deails of new threats much like anit virus software on a pc.

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Tue 09-Oct-18 23:13:33
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
You could look for a WatchGuard firewall secondhand and use that in 'drop in mode' which uses the same IP address and range on internal and external interfaces and gives full firewall features. Drop in mode is designed to do exactly what you want.

What speed connection are you on? I ask about the speed because if you want higher than about 500Mbps you'd probably need a model with a fan (to be affordable) and that could be an issue for you.

Up to 540Mbps you could use a secondhand XTM 26 (no fan). They can be found on eBay for about £30-40. The XTM 33 (no fan) is similar (about £40-60) and runs out of steam at 850Mbps. A T50 (no fan) would set you back a lot more secondhand but does cope with full Gigabit throughput.

If a fan is no issue, an old XTM 5 series model would cope or the XTM 330.

Avoid anything called Edge or Core, and anything called Xsomething that isn't XTM.

You can look at comparisons of specs at https://www.watchguard.com/wgrd-products/appliances-...

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Rolandrat
(committed) Wed 10-Oct-18 08:05:14
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
Untangle or Pfsense in bridge mode should do what you want, there are many free or home license versions of UTM's available.
You would need the hardware to install them on which Amazon sell many multi network mini pc type boxes, some even have pfsense already installed.

I note you have gigaclear, if thats the full fat 1Gb connection, the choice of hardware will be important as with all the feature turned on that 1Gb could end up at a tenth of that after all the inspection has been done. Check out their forums for advice.
I use untangle which costs $50 a year for home license as I found it easier to understand.

Edited by Rolandrat (Wed 10-Oct-18 08:27:47)

Standard User Michael_Chare
(fountain of knowledge) Wed 10-Oct-18 09:53:45
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
Thank you very much for a very useful and interesting post. So it is possible to buy something that would do what I am looking for.

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Wed 10-Oct-18 10:59:23
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
In reply to a post by Michael_Chare:
Thank you very much for a very useful and interesting post. So it is possible to buy something that would do what I am looking for.
Indeed it is. Other enterprise firewalls may offer the same functionality too but I'm most familiar with WatchGuard.

WatchGuard's drop-in mode is not the same as bridge mode, you can see what the differences are here

One word of caution; after placing the firewall between the router and the LAN you will need to reboot the router to clear it's ARP cache otherwise computers on the LAN won't see the internet.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Michael_Chare
(fountain of knowledge) Wed 10-Oct-18 15:28:18
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
How useful would a Watchguard device be if one does not also subscribe to the security suite software? The software is quite expensive just for home use!

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Wed 10-Oct-18 18:29:34
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
It will come with fully functional firewall software - this never expires. You only need a subscription to be able to update it to the latest firmware or add subscription only features such as virus scanning.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Michael_Chare
(fountain of knowledge) Wed 10-Oct-18 23:22:41
Print Post

Re: Network security devices


[re: Rolandrat] [link to this post]
 
In reply to a post by Rolandrat:
Untangle or Pfsense in bridge mode should do what you want, there are many free or home license versions of UTM's available.
You would need the hardware to install them on which Amazon sell many multi network mini pc type boxes, some even have pfsense already installed.

I note you have gigaclear, if thats the full fat 1Gb connection, the choice of hardware will be important as with all the feature turned on that 1Gb could end up at a tenth of that after all the inspection has been done. Check out their forums for advice.
I use untangle which costs $50 a year for home license as I found it easier to understand.
Your point about speed is a good one. I have the original Gigaclear service which does allow me to drive the line at the max almost 1Gb rate, though there is contention. It has dawned on me that the speeds that Watchguard quote are overall throughput speeds if multiple ports are used.

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Thu 11-Oct-18 00:39:18
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
If you're just using two ports, the throughput will be either the maximum speed of the port (gigabit) or the stated throughput if lower. You only need to consider multiple ports if the quoted throughput exceeds 1Gbps.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Michael_Chare
(fountain of knowledge) Thu 11-Oct-18 10:20:54
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
If you're just using two ports, the throughput will be either the maximum speed of the port (gigabit) or the stated throughput if lower. You only need to consider multiple ports if the quoted throughput exceeds 1Gbps.
It was this that made me think what I wrote. The XTM 330 is shown as having a higher throughput than the XTM 33 but maybe because it has more ports.

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Thu 11-Oct-18 13:36:30
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
The XTM 33 has a slower processor and half the memory of the XTM 330. It also doesn't usually have a cooling fan, which the XTM 330 does. They're really quite different beasts designed for different deployment scenarios (branch office vs head office) even though they are both referred to as the XTM 3 series. The XTM 33 will hit 850Mbps between one port and another (this does vary with packet size and protocol) so the processor is the limiting factor. With the XTM 330, the gigabit port speed is the limiting factor.

You can see a direct comparison at https://www.watchguard.com/wgrd-products/appliances-...

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Thu 11-Oct-18 13:39:33)

Standard User Michael_Chare
(fountain of knowledge) Thu 11-Oct-18 14:53:10
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
Thank you for your help. The XTM33 would be a more convenient size!

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Thu 11-Oct-18 21:25:49
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
Yes, and it's most likely without a fan - although the XTM 33 hardware guide states that some versions do have a fan. It doesn't state which ones. It's not likely to be anywhere near as obtrusive as the fan on the XTM 330.

It would limit throughput on your 1Gbps connection, but how often can you actually download at 1Gbps?

The XTM 33 is no longer sold but it's still possible to obtain full support, at a price, until 1st July 2021 so it's not considered prehistoric.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Thu 11-Oct-18 21:35:13)

Standard User TrevorSP
(knowledge is power) Sun 14-Oct-18 15:50:49
Print Post

Re: Network security devices


[re: camieabz] [link to this post]
 
I love your humour!

Regards,
Trevor

Signature to be updated shortly, been away for a long time LOL!!! Not what most of you are thinking or guessing either!! Twas ill health!
Standard User Gerbil
(newbie) Sat 27-Oct-18 11:46:37
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
In reply to a post by Michael_Chare:
In reply to a post by Rolandrat:
Untangle or Pfsense in bridge mode should do what you want, there are many free or home license versions of UTM's available.
You would need the hardware to install them on which Amazon sell many multi network mini pc type boxes, some even have pfsense already installed.

I note you have gigaclear, if thats the full fat 1Gb connection, the choice of hardware will be important as with all the feature turned on that 1Gb could end up at a tenth of that after all the inspection has been done. Check out their forums for advice.
I use untangle which costs $50 a year for home license as I found it easier to understand.
Your point about speed is a good one. I have the original Gigaclear service which does allow me to drive the line at the max almost 1Gb rate, though there is contention. It has dawned on me that the speeds that Watchguard quote are overall throughput speeds if multiple ports are used.


I'm unclear whether you have the Gigaclear residential or business service, but if it is the residential service then be aware that Gigaclear are now finally offering bridge mode on their residential service for £5 extra a month. It was previously only available on their business service, but they seem to have slipped out a web site update earlier this month without any fanfare and it can now be ordered via their portal. That would remove one layer of NATing and potentially make the configuration of any device you then put between your LAN and their supplied router a lot simpler.
Standard User Michael_Chare
(fountain of knowledge) Sat 27-Oct-18 19:43:37
Print Post

Re: Network security devices


[re: Gerbil] [link to this post]
 
In reply to a post by Gerbil:
I'm unclear whether you have the Gigaclear residential or business service, but if it is the residential service then be aware that Gigaclear are now finally offering bridge mode on their residential service for £5 extra a month. It was previously only available on their business service, but they seem to have slipped out a web site update earlier this month without any fanfare and it can now be ordered via their portal. That would remove one layer of NATing and potentially make the configuration of any device you then put between your LAN and their supplied router a lot simpler.

That is interesting. I have the residential service. Today, before I read your post, I happened to raise a Gigaclear online query to ask if bridge mode was possible. The router I have is the DRGOS Tundra. I have been wondering about a Pfsense box. The challenge is to find a suitable box that is powerful enough not to delay packets and not to expensive.

Michael Chare
Standard User Michael_Chare
(fountain of knowledge) Tue 30-Oct-18 11:53:44
Print Post

Re: Network security devices


[re: Gerbil] [link to this post]
 
In reply to a post by Gerbil:
I'm unclear whether you have the Gigaclear residential or business service, but if it is the residential service then be aware that Gigaclear are now finally offering bridge mode on their residential service for £5 extra a month. It was previously only available on their business service, but they seem to have slipped out a web site update earlier this month without any fanfare and it can now be ordered via their portal. That would remove one layer of NATing and potentially make the configuration of any device you then put between your LAN and their supplied router a lot simpler.

Well after a couple of messages I have now learnt that bridge mode will be available to residential customers free of charge! This is good news the connection will just use DHCP and I am now wondering about a PFsense box. Gigaclear have added my name to a list of customers who will be told when the service is available. The details are in an email from Gigaclear which I could forward (PM) to you if you want.

Michael Chare
Standard User Gerbil
(newbie) Mon 05-Nov-18 21:15:41
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
Well that's just bizarre. I signed up to bridge mode as a £5 a month addon less than two weeks ago and it activated within about two minutes with my Draytek router showing that it was picking up the Gigaclear external IP via DHCP. Now having seen your message I've checked the Gigaclear portal and it's now showing as a zero cost option that I have enabled.

Gigaclear seem to be a bit disorganized.
a) I've not received an email telling me that they now were giving me bridge mode for free
and
b) they're telling you that you have to wait for something they managed to activate on my line in about two minutes flat.

Have you checked https://portal.gigaclear.com to see whether you can order it?

Edited by Gerbil (Mon 05-Nov-18 21:17:45)

Standard User Michael_Chare
(fountain of knowledge) Mon 05-Nov-18 23:29:27
Print Post

Re: Network security devices


[re: Gerbil] [link to this post]
 
I agree that Gigaclear are a bit disorganized! It took me two attempts to get a sensible answer. I believe that I could place an order I think for £5pm. As it is I am waiting until they me that the free service is available for residential customers. They have promised to advise me.

One issue is what I would have down stream of the bridge. I would quite like a box running pfSense. The challenge is to find something that will pass data at say 900Mbps but is not to expensive. I quite like the Qotom products, but they come from China and I would possibly have to pay customs duty, VAT and a customs processing fee.

Michael Chare
Standard User ukhardy07
(knowledge is power) Tue 06-Nov-18 19:00:09
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
I just want to add my two-cents into this discussion, when you implement opensource you run the risk that it is compiled from one of a multitude of random repositories, often as things are compiled the developer is not performing adequate checks for security vulnerabilities. This makes ensuring that opensource code is secure quite challenging. Within an internal network, this is less of a concern as the chance of exploitation is somewhat restricted... For a firewall, this becomes the first line of defence and is internet facing, as such you want to ensure you are guaranteed to receive adequate security patching on a permanent basis. You also need to be ready to check for vulnerabilities, patches, and perform updates to address any critical/high vulnerabilities ASAP. With opensource there are no guarantees patches will be released for vulnerabilities / loopholes in a timely manner.

I would assume if you are looking to implement this technology, you have some concerns and want to protect something internally?

Edited by ukhardy07 (Tue 06-Nov-18 19:01:50)

Standard User Michael_Chare
(fountain of knowledge) Tue 06-Nov-18 22:41:24
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
In reply to a post by ukhardy07:
I would assume if you are looking to implement this technology, you have some concerns and want to protect something internally?
I don't really have that much! I do get many 'Hello...' emails with a link that I avoid. I do wonder where they originate from and what they might do.

Cost is a factor. Firewall vendor supplied hardware really needs a software maintenance contract to ensure that it is kept up to date and that tends to be expensive for a domestic situation. pfSense with Suricata is a cheaper alternative. I would think that the official Netgate version of pfSense is fairly secure.

Michael Chare
Standard User jabuzzard
(member) Wed 07-Nov-18 09:49:50
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
At which point you might as well save yourself some dosh, and get say a Ubiquiti EdgeRouter 4 or equivalent Mikrotik for less cash that is fanless and lower power and for which support does not run out in three years time rendering the device useless.
Standard User jabuzzard
(member) Wed 07-Nov-18 13:51:01
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
Not that load of utter rubbish that open source is not secure again. Let's see has OpenWRT had hard coded back door accounts? Nope but a certain market leader beginning with a C has. The idea that pfsense , VyOS or OpenWRT are not secure is a complete and utter joke. Anyone spouting that sort of rubbish should not be taken seriously.
Standard User ukhardy07
(knowledge is power) Wed 07-Nov-18 14:08:27
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
I disagree, I have worked with a number of high profile forensics cases where organisations have been compromised and this has resulted in exposure of mass customer personally identifiable information (PII). The underlying root cause has been opensource applications, with vulnerabilities not patched by the opensource community.

You only have to perform a quick google search to find instances where 100+million customers details have been compromised, and forensic investigators pointed towards opensource applications as a root cause. I will leave the argument here.

Given the choice, I would choose a vendor product with guaranteed support over opensource, although I do appreciate opensource is very valuable and should not be disregarded.
Standard User zzing123
(learned) Wed 07-Nov-18 15:38:13
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
There's a good guide explaining how to do No-NAT filtering on Multi WAN and Multi LAN with pfSense here: http://blog.martinshouse.com/2012/01/multi-wan-multi... and as if it's any surprise, the blogger is using AAISP which would be the path of least resistance in terms of ISPs.

Irrespective of the Multi-WAN and LAN the blogger uses (which I expect you won't need), the transparent filtering via 2 ports in bridge mode on the router is exactly what you'd need.

If/when Gigaclear do allow you to bridge the device so their router is relegated to just modem duties, then pfSense can be reconfigured to handle the WAN directly - I don't know what Gigaclear use, but I expect it'd be PPPoE which pfSense can easily handle too, however the filtering doesn't change all that much.

In terms of the security related stuff, the thing you'll want is to use Suricata, which pfSense has as a package. This is quite a pain to set up (here's a video guide: https://www.youtube.com/watch?v=KRlbkG9Bh6I), and will take a week or so of trial and error to 'bed in'. Security is never an 'on/off' switch.

Now while just about any hardware can handle 1gpbs WAN and routing, doing full IPS (intrusion prevention) is entirely a different matter in terms of performance.

To give an example, the £250 Ubiquiti USG Pro-4 is a great dual-WAN router and can easily handle 2x 1gbps WANs. However, for Suricata (IPS), it only boasts 250mbps of IPS throughput. The cheapo USG, only 85mbps. To get the full 1gpbs of IPS throughput, you need the £2,000 USG-XG, which otherwise does 8x 10GbE routing.

It'll be the same with pfSense: you'd need the £2,000 XG-1541 (same spec as the USG-XG) to do Suricata at 1gpbs. However, if you can compromise, I suggest getting one of the mid-range pfSense boxes like the XG-7100 or if you can find one, what I use, the SG-4860. These use the Atom C2000/C3000 processors which are more than adequate. I've not benchmarked the maximum speed of suricata on these machines, but I can say that it's not a bottleneck on 2x 80mbps FTTC lines. However, I did spend £500 for the privilege of having a proper firewall.

You can peruse all Ubiquiti and pfSense hardware at their UK distributors: https://www.msdist.co.uk/ubiquiti and https://shop.amicatech.co.uk/hardware/pfsense.html
Standard User jabuzzard
(member) Wed 07-Nov-18 15:57:49
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
And I have seen commercial software hit by zero day vulnerabilities. All the issues I have seen of the sort that you have raised have been fixed upstream but patches have not been applied.

A recent commercial software with issues was Mikrotik routers being hit, oh but it was patched by the vendor months before it was being exploited. All software has bugs, and all software is likely to have zero day vulnerabilities whether it is commercial or opensource. You just have to have a policy of applying patches in a timely manner.

To suggest that open source is inherently less secure is uninformed rubbish.
Standard User ukhardy07
(knowledge is power) Wed 07-Nov-18 16:27:09
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
I agree with you in the main until the last line...
A vendor who is paid significant sums is more likely to patch security vulnerabilities and often is enforced with SLAs. I see relatively few organisations with a solid grasp of software composition analysis where they utilise open source. I also see very few organisations with solid inventories enabling them to identify open source vulnerabilities and patch. Fact is open source is overlooked far more often and patches can be hard to come by at times. You rely on the community far more.

Organisations have a real risk with open source and it is a challenge the industry is trying to overcome.

& Of course zero days exist, that's beside the point here. Vendor products have security loopholes, which to my point require patching.
Standard User zzing123
(learned) Wed 07-Nov-18 16:38:46
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
Especially when most commercial vendors use, package and help maintain said open source stuff. Ubiquiti for example is almost entirely prepack OSS. And pfSense is almost entirely a commercial operation now. Microsoft has their own Linux distro and SQL Server works on linux. The point being commercial vs. open source is a very blurry line. Thank god though that everyone seems to standardise around things like OpenSSL, Suricata and the important bits and contribute to them jointly for everyone's benefit: OSS and Commercial.

The reality of the matter is the support contract and SLA is definitely a required business model for companies, but increasingly it's a holistic solution on bigger bundles of items. Dell recently sold our gullible managers a VX Rail, but it's paid over 5 years with an iron clad support agreement inclusive of everything from hardware to VMWare patching and the related SonicWall appliance (yes, I had no say in the matter <sigh>).
Standard User caffn8me
(eat-sleep-adslguide) Wed 07-Nov-18 17:37:16
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
At which point you might as well save yourself some dosh, and get say a Ubiquiti EdgeRouter 4 or equivalent Mikrotik for less cash that is fanless and lower power and for which support does not run out in three years time rendering the device useless.
I use EdgeRouters but they don't have the transparent drop-in capability of WatchGuards so would require a reconfiguration of the setup - something which the OP wanted to avoid. Now it seems that bridge mode is possible, that's not an issue.

I'm not sure what you mean by 'useless'. All basic security functions of a WatchGuard continue to work after the licence expires - including things like application proxies, NAT, WAN load balancing etc. As a security device they're still more sophisticated than any of the Ubiquiti devices - even with an expired licence.

What you do lose is the ability to update in the event of a significant security bug or to add new features. Things like gatweay antivirus, geolocation blocking and spam filtering require an additional subscription beyond the basic support package so don't come as standard on the lowest priced support options anyway.

I would avoid Mikrotik completely given the poor history of security, the results of which I have experienced first hand. When I posted that I'd identified four compromised Mikrotik routers, there have been quite a few more since. Just looking at today's firewall logs I see this has been compromised and is probing my connections. I shall be reporting this to the ISP later.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Michael_Chare
(fountain of knowledge) Wed 07-Nov-18 17:50:27
Print Post

Re: Network security devices


[re: zzing123] [link to this post]
 
Thank you for your interesting post. I have managed to buy a 2nd hand 4 port ethernet card which I will try in an old E6600 based PC with pfSense.

In some ways my problem is that I have been able to keep my Gigaclear G10 contract which has a 10Mbps min speed and a theoretical maximum of about 940Mbps up and down. It would be a pity to install a firewall that slows this down to much!

A PC Engines APU2c4 would cost me about £200. A faster option is a Qotom Q355G4 with an Intel i5 processor and wifi. This would cost about £300 imported.

What was your motive for having a firewall?

Michael Chare
Standard User zzing123
(learned) Wed 07-Nov-18 19:38:50
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
The PCEngines is way too underpowered for IPS, but just about OK for gigabit. The E6600 with a server adapter should be pretty much OK for IPS. Meanwhile the Qotom has AES-NI that will help accelerate VPNs if you use them. The Qotom was chosen by Ars in their 'Homebrew 2.0' router: https://arstechnica.com/gadgets/2016/04/the-ars-guid... - but trust me, messing with iptables like he does is seriously long grey beard stuff.

I would start with the E6600 and go from there. If it's not good enough, then an ebay buyer gets lucky.

Why I have a firewall? Mainly to separate my home lab stuff (I deal with a lot of cloud tech) and ensure the missus doesn't have her telly and Facebook time interrupted (that would cause injury). Cloud tech involves a lot of VLANs, VPNs and various SDN tech which needs a router that can handle it. If I used a proper cloud like AWS I'd be racking up several grand in bills every month. The IPS is not only good for filtering security, but it's also very good at detecting when an app is misbehaving too, because if you do anything funky with network protocols, it'll pick it up.

As for the missus, she is blissfully unaware that her 4K autobinge sessions on Netflix is protected by enterprise security, and in the meantime, fq_codel is making sure that her iPhone is the first to go 'ding'.
Standard User jabuzzard
(member) Fri 09-Nov-18 13:46:32
Print Post

Re: Network security devices


[re: ukhardy07] [link to this post]
 
In reply to a post by ukhardy07:
I agree with you in the main until the last line...
A vendor who is paid significant sums is more likely to patch security vulnerabilities and often is enforced with SLAs. I see relatively few organisations with a solid grasp of software composition analysis where they utilise open source.


Right so that worked out really well for the multi billion dollar company that is Broadcom

https://www.theregister.co.uk/2018/11/08/upnp_spam_b...

What five fricking years they had a known exploit and didn't fix it.

Then Cisco do this

https://www.theregister.co.uk/2018/11/08/cisco_dirty...

Not sure the paying people to do the development is really working out in making it more secure. Then there is the seven hard coded back doors in Cisco products in recent years, and I am not just beating up Cisco, Juniper have had there own issues on this front.

As we are talking network gear hear, again when have pfSense, OpenWRT or VyOS suffered from this sort of issue?

I have been running open source servers with permanent always on internet connections for over 20 years and not been compromised once. I have a robust policy of patching mind you.
Standard User jabuzzard
(member) Fri 09-Nov-18 13:57:00
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
Because the day the security updates stop is the day you need to stop using the device. It might still function as before, but imagine it is one of the long list of devices that was effected by Broadcom's uPnP issue that won't be getting an update because it's obsolete.

https://www.theregister.co.uk/2018/11/08/upnp_spam_b...

If you are not getting vendor updates you can't expect to continue to operate in a secure manner for very long. Worse once an exploit becomes know you are now looking at procuring hardware to fix the problem, which is generally a lot slower than installing a software update. As such no updates makes a security device useless and three years is not very long for such an expensive device.

I note that all the Mikrotik issues are down to people not patching in anything remotely like a timely manner...
Standard User caffn8me
(eat-sleep-adslguide) Fri 09-Nov-18 15:59:20
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
In reply to a post by jabuzzard:
the day the security updates stop is the day you need to stop using the device
No. In a home use situation, the day you need to stop using the device is the day that a remotely exploitable vulnerability is announced that cannot be patched.

If the device cannot be exploited remotely, I would suggest that for the vast majority of home user's, that's secure enough.

Yes, it's nice to have the very latest fixes, but for the average home user, an expired enterprise class firewall will provide very much more security than the standard ISP router.
In reply to a post by jabuzzard:
I note that all the Mikrotik issues are down to people not patching in anything remotely like a timely manner...
My issue is that they have such a severe bug in the first place, it is remotely exploitable, and it is being actively exploited on a large scale.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User broadband66
(knowledge is power) Fri 09-Nov-18 18:01:04
Print Post

Re: Network security devices


[re: jabuzzard] [link to this post]
 
Still using XP on two machines with software firewall and antivirus.

No issues!

Paranoia can take over.

Was Eclipse Home Option 1, VM 2Mb & O2 Standard
Now Utility Warehouse (up to 16mbps) via Talk Talk
Standard User caffn8me
(eat-sleep-adslguide) Fri 09-Nov-18 18:48:36
Print Post

Re: Network security devices


[re: broadband66] [link to this post]
 
I was recently in the cockpit of a current and active military aircraft. One of the computers on board runs a version of Windows which is well past its use by date.

Paranoia can be healthy but a proper assessment of the risks based on careful examination of the facts is a better approach smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User broadband66
(knowledge is power) Sat 10-Nov-18 09:23:08
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
One can have the latest technology but common sense when downloading and opening emails still goes a long way.

Risk assessments don't stop accidents.

Was Eclipse Home Option 1, VM 2Mb & O2 Standard
Now Utility Warehouse (up to 16mbps) via Talk Talk
Standard User baby_frogmella
(knowledge is power) Sat 10-Nov-18 11:20:29
Print Post

Re: Network security devices


[re: broadband66] [link to this post]
 
In reply to a post by broadband66:
One can have the latest technology but common sense when downloading and opening emails still goes a long way.

Risk assessments don't stop accidents.


+1

Even the world's best firewall cannot stop the biggest virus/malware out there: human stupidity shocked

FluidOne FTTPoD 330/30 Mbps
Linksys EA9500v2

Edited by baby_frogmella (Sat 10-Nov-18 11:56:14)

Standard User caffn8me
(eat-sleep-adslguide) Sat 10-Nov-18 17:52:23
Print Post

Re: Network security devices


[re: broadband66] [link to this post]
 
In reply to a post by broadband66:
Risk assessments don't stop accidents.
If your risk assessment doesn't include the possibility of someone accidentally downloading something malicious, or deleting something important, you're doing your risk assessment wrong wink

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User broadband66
(knowledge is power) Sun 11-Nov-18 15:46:51
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
Writing a list of possible risks and getting staff to read them doesn't stop human error occurring. But HR/Health and Safety and others say we have to spend time and money so it has to be done.

Was Eclipse Home Option 1, VM 2Mb & O2 Standard
Now Utility Warehouse (up to 16mbps) via Talk Talk
Standard User caffn8me
(eat-sleep-adslguide) Mon 12-Nov-18 02:23:24
Print Post

Re: Network security devices


[re: broadband66] [link to this post]
 
In reply to a post by broadband66:
Writing a list of possible risks and getting staff to read them doesn't stop human error occurring.
No, but assessing the risks your staff pose to the confidentiality, integrity and availability of your systems and data allows you to put measures in place to manage those risks accordingly.

If you believe there is a risk that some members of staff may download inappropriate content, you put systems in place so that they can't. It's not just a question of telling people not to download things.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User broadband66
(knowledge is power) Mon 12-Nov-18 18:32:36
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
That's a fair point.

Example. Scaffolding erected, Portaloos on every floor, risks assessed (or so we thought)!

Lazy prat can't be bothered to walk for a few minutes to relieve himself in appropriate place. Climbs over handrail to do his business and falls breaking a leg. Tries to sue saying he wasn't given risk assessment or told of the risk of urinating while hanging on to the outside of a scaffold.

Some people will always find a way to ruin it for everyone else.

Was Eclipse Home Option 1, VM 2Mb & O2 Standard
Now Utility Warehouse (up to 16mbps) via Talk Talk
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to