Re: [Discuss] iGuardian "enterprise-grade" home router
Richard Pieri wrote: > Comparing his $150 box to a Juniper IPS that costs ten times as much (or > more) is disingenuous. I just want to clarify (for other BLU readers) that the "his" above doesn't refer to Dan Geer. His interview and the iGuardian product are unconnected, and only were mentioned in the same message due to being covered in the same "This Week in Enterprise Tech" episode. I agree that most comparisons between cheap gear and multi-thousand dollar enterprise gear can be disingenuous. The cheap gear usually offers some incomplete replication of the functionality of the enterprise hardware. The relevant bit is whether it replicates the parts you care about. There's always going to be some things the enterprise gear does to justify its price, even if that's merely in the support they offer. > He lists frequent, easy updates as a feature yet it's an /embedded/ > system, an OpenWRT fork which, as we've recently discussed, isn't easily > updated. I'd forgive a lot if his iGuardian were running a live OS the > way that pfSense does but going embedded? That's a big strike against it. You'll have to clarify what "embedded" means to you, and how that would differ from pfSense running on appliance hardware. The challenge in getting an embedded system to update are: 1. Having an organization to produce and QA (for the target appliance) the updates in a timely fashion to maintain security. (Lacking in many, if not most, open router firmware projects.) 2. Allowing the updates to be deployed to your hardware without first performing your own QA. If the company behind iGuardian hits upon a successful business model and stays in business, then they should be able to make good on #1. Though as Jim Gettys has explained in his talks, the financial incentives usually aren't there to provide long term security updates for low-cost routers. If I recall, iGuardian is claiming to be including lifetime updates in that $150 price. That means after the initial batch is sold, their revenue source could dry up, and that'll be the end of the updates. On #2, this is something most home owners would generally not be concerned with, but the publicized situation where Cisco installed updates automatically to home routers that altered its behavior in an undesirable way might give them second thoughts. The impression I get is that the majority of the updates they're going to be supplying are new A/V rules for their deep packet inspection, not actual code updates. If they're building on OpenWRT, then I wouldn't expect the code updates to be any more frequent than what they upstream project sees. The practical difference being they'll QA and package those updates for automatic installation. I can see the appeal in that, if you don't want to have to choose between running a stale router or playing sys admin to keep it updated. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On 9/12/2014 6:44 PM, Tom Metro wrote: > You'll have to clarify what "embedded" means to you, and how that would > differ from pfSense running on appliance hardware. How do you go about updating the OS? With an embedded OS you back up your settings, restart the device in a special run mode, write out an image to local storage, restart in the normal run mode, and restore your settings. Some update mechanisms perform the settings backup and restore automatically; some don't. If something goes wrong then you have a brick. Recovering from a bricked state can be difficult. It may require special tools (software and hardware); it may require opening the device and performing physical changes. With a "live" OS you run a tool to install updated programs, typically using some kind of package management system. Restarting is rarely required. If something goes wrong then the update tools usually can roll back to the previous state. In a worst case scenario you can restart the system in an administrative mode and manually correct the problem or manually roll back to a previous state. m0n0wall is an example of the former; pfSense is an example of the latter. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
Richard Pieri wrote: > How do you go about updating the OS? > > With an embedded OS you back up your settings, restart the device in a > special run mode, write out an image to local storage, restart in the > normal run mode, and restore your settings. Some update mechanisms > perform the settings backup and restore automatically; some don't. If > something goes wrong then you have a brick. > > With a "live" OS you run a tool to install updated programs, typically > using some kind of package management system. Restarting is rarely > required. I guess maybe you need to update your notion of how a modern embedded system works. There are still embedded devices being produced that work the way you describe, but more commonly now, thanks to inexpensive flash storage, they operate more like a regular system with a hard drive. OpenWRT supports optware package management, for example. You should be able to update packages on the fly, without a device reboot. (I've installed packages this way on my routers running Tomato USB.) I run Ubuntu systems off of small thumb drives, which go through identical updating procedures as full systems, and there is no technical reason why a router appliance can't follow this model. Devices like Ubiquiti Networks' EdgeMAX, that runs a Debian derivative, from a software perspective probably behave closer to full systems than embedded devices, even though they are built on low power appliance hardware. Even in the case where the device firmware is treated as one big blob, lots of devices now feature a small bootloader partition that never gets overwritten by updates, making them virtually "unbrickable." An update gets downloaded to and written to a separate partition, then sets a flag and schedules or triggers a reboot. On reboot the bootloader sees the flag and runs the OS from the new partition. If that fails to start you can manually reboot and interact with the bootloader to switch back to the old firmware, which is still present. (There are dozens of variations on the protected bootloader concept, and not all work as described above. For example, it's quite common for Android devices to have a boot loader, a recovery partition (minimal OS for doing backups and reloading OS images), and an OS partition. Each can be separately reflashed.) Personally, I'd rather have a router/firewall appliance in which the firmware can't be altered without a physical switch being flipped on the device. That way you have full control over when the firmware gets altered, and you know with certainty that you return to a known state after reboots. (For this to be most effective, your router should also have no local storage and settings storage that is similarly hardware protected from modification.) -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On 9/13/2014 4:46 PM, Tom Metro wrote: > OpenWRT supports optware package management, for example. You should be > able to update packages on the fly, without a device reboot. (I've > installed packages this way on my routers running Tomato USB.) Try doing that with the kernel. Last I looked, Tomato's optware repository doesn't include kernels. OpenWRT's optware repository does have kernels but they're covered in caveats that you're likely to brick your device if you try to install them. The supported kernel update method for OpenWRT is Sysupgrade which erases what is there and flashes a pristine system image. Just like I described. So yeah, I stand by my notion of how embedded systems work. Empirically, that's how they work. > Personally, I'd rather have a router/firewall appliance in which the > firmware can't be altered without a physical switch being flipped on the > device. I've deployed and managed a few enterprise grade firewall appliances like Borderware and Firewall-1. This is not a feature typically found on such devices. Borderware, at the time running on FreeBSD, required a restart in single-user mode to perform major changes because the root file system was normally mounted read-only. Firewall-1 varies with the foundation: IPSO, Solaris and Windows/NT all behave differently. I can't recall seeing a consumer grade gateway with a feature like this. Not a physical switch, anyway. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
Tom Metro wrote: > The same episode also covers the iGuardian Kickstarter project that aims > to produce a $150 enterprise-grade home router that includes deep packet > inspection and regular updates: > http://www.itusnetworks.com/home The host of "This Week in Enterprise Tech" seems to be pushing this product, as he has covered it on another show, and had the creators of the router on "This Week in Enterprise Tech" for the 2nd or 3rd time. In their latest appearance in episode 108: http://twit.tv/show/this-week-in-enterprise-tech/108 http://www.youtube.com/watch?list=UU0KrqQ-3pCob4piS1wVC5dQ&feature=player_detailpage&v=luT-Nl3u5W0#t=2328 (segment starts about 39 minutes in) They mention they met their Kickstarter goal, that they're going to follow-on with an Indegogo campaign, and they clarified an important point abut why they call it "enterprise-grade." Apparently they didn't simply load up a commodity consumer router with Linux and some packet inspection code. The hardware they built uses the same router-optimized processor (Cavium Networks OCTEON Network Services Processor[1]) as used in enterprizy routers, like the Sonicwall line. Their claim is that the typical home router appliance doesn't have the CPU or memory to run deep packet inspection code. (The show page above features a picture of the PC board for the router, which looks much like what you'd expect for a consumer router, except a large heat sink on the CPU. [This is actually not their design, but a development board supplied by Cavium.]) That aside, the software stack is just Linux (OpenWRT) + SNORT + a GUI, presumably, and an update service. And they admit that their filtering is signature based, and thus it won't help you for a zero day, but they said "protect the herd, not the individual." It could be interesting even you you don't buy-in to their ecosystem and just look at it as a low-cost, low-power platform capable of running SNORT. I'd be curious to know how a competing device like the Ubiquiti Edgemax handles running SNORT. -Tom 1. http://www.cavium.com/Table.html#Octeon (they didn't specify which of these CPUs they used; the product line ranges from 1 to 48 cores; safe to say this $100 ($175 regular retail) product uses a 1 or 2 core version, but they still get hardware accelerated TCP, regular expression, and encryption, depending on the model.) -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On 9/29/2014 5:14 PM, Tom Metro wrote: SNORT. I'd be curious to know how a competing device like the Ubiquiti Edgemax handles running SNORT. On paper, based on RAM capacity, I figure the iGuardian box will run out of memory and crash much sooner than the Edgemax device. And if you don't think that's likely with a home network connection then I dare you to run a BitTorrent client behind a Verizon-branded gateway. :) -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
Richard Pieri wrote: > On paper, based on RAM capacity, I figure the iGuardian box will run out > of memory and crash much sooner than the Edgemax device. Were you able to find a RAM spec for the iGuardian? Their site seemed pretty light on details. If I recall correctly, the Ubiquity products all have full spec sheets. I'd compare the iGuardian to the Edgemax EdgeRouter Lite. It has a CPU with hardware acceleration too, but the objective was moving TCP packets fast, not necessarily deep packet inspection, so it may lack things like regular expression acceleration that the iGuardian CPU might have. Unfortunately with out digging much deeper or putting them both to the test, I can only speculate. The other question to ask about iGuardian is where are they sourcing their signatures? Are they merely passing them on from the commercial entity maintaining SNORT (apparently acquired by Cisco)? Using a freely accessible upstream source and packaging it up for the convenience of their customers? Or are they building rules in-house? -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On 9/29/2014 10:24 PM, Tom Metro wrote: Were you able to find a RAM spec for the iGuardian? Their site seemed pretty light on details. It's on their Kickstarter. The prototype is 512M and the target spec is 1GB. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
Richard Pieri wrote: > The prototype is 512M and the target spec is 1GB. According to the Ubiquiti data sheet: http://www.ubnt.com/downloads/datasheets/edgemax/EdgeRouter_DS.pdf The EdgeRouter Lite (the $100 model) only has 512 MB RAM. (Powered by a "Dual-Core 500 MHz, MIPS64 with Hardware Acceleration for Packet Processing.") If you go a few models up from that to the EdgeRouter (no suffix) you get 2 GB RAM. (And an 800 MHz CPU. And a bunch more Ethernet ports.) But now we're talking about a $300 router, so not a fair comparison to the iGuardian, which sells for half of that. I see the Kickstarter page: https://www.kickstarter.com/projects/itus/iguardian-the-home-internet-security-system also says their planned CPU is a 1 GHz 2-core MIPS64 (Cavium Octeon III 7020). And they have a comparison table showing the RAM and CPU specs for Juniper, Sonicwall, and a Netgear product. If they can deliver a 2-core, 1 GHz CPU w/1 GB RAM appliance for $150, that'll be a good deal. They say in their FAQ, "Hobbyists and hackers wishing to modify the iGuardian software to use the hardware platform for other purposes are welcome." Another point to consider: their FAQ says they don't inspect SSL packets, which is not surprising. Yet some malware uses SSL. So basically that means this tool is designed to catch lazy malware developers. :-) -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On 9/30/2014 5:36 AM, Tom Metro wrote: The EdgeRouter Lite (the $100 model) only has 512 MB RAM. (Powered by a "Dual-Core 500 MHz, MIPS64 with Hardware Acceleration for Packet Processing.") And as you noted, ER Lite does not do DPI which means it has more RAM available to handle active connections. Or, looking at it the other way, iGuardian will run out of RAM for active connections sooner than ER Lite. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On Tue, Sep 30, 2014 at 05:36:26AM -0400, Tom Metro wrote: > If they can deliver a 2-core, 1 GHz CPU w/1 GB RAM appliance for $150, > that'll be a good deal. They say in their FAQ, "Hobbyists and hackers > wishing to modify the iGuardian software to use the hardware platform > for other purposes are welcome." > > > Another point to consider: their FAQ says they don't inspect SSL > packets, which is not surprising. Yet some malware uses SSL. So > basically that means this tool is designed to catch lazy malware > developers. :-) > > -Tom The Mirabox is a now-shipping $150 ARM computer: 1.2GHz Armada370 cpu 1 GB RAM 1GB flash 2 gigabit ethernet ports 2 USB3 host ports 1 miniPCIe slot (presumably for wifi) and a microSD slot. It appears to run Debian stable, and thus is a pretty good contended for anyone who feels capable of running their own firewall. I would consider it. -dsr- ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
Richard Pieri wrote: > ER Lite does not do DPI... > iGuardian will run out of RAM for active connections sooner than ER Lite. Agreed, but the thought experiment was how would the iGuardian compare to the ER Lite if you ran SNORT on the latter. Both are open platforms so you could configure either to have or not have DPI. iGuardian FAQ says they're only promising 50 Mbps for the first release product. Tuned systems running the same chip can hit 250 Mbps. Probably not a practical limitation for most users, but compare that to the ER Lite that claims to do 1 million packets/second (64B packets, 3 Gbps), of course without DPI. Dan Ritter wrote: > The Mirabox is a now-shipping $150 ARM computer: > > 1.2GHz Armada370 cpu > 1 GB RAM Not bad, but without hardware acceleration it might still be slower than the others at the task of shuffling around packets or DPI. > 2 gigabit ethernet ports Which means if you want to partition your network to have a DMZ and/or a guest wireless access point you need to use VLANs and a VLAN switch. (Something the platforms with more ports are likely doing also, but they do it with a small internal VLAN switch.) -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On 9/30/2014 6:39 PM, Tom Metro wrote: Both are open platforms so you could configure either to have or not have DPI. Not entirely true. Ubiquiti's hardware is pretty open but their OS is proprietary and I have no idea how stable it would be after coercing it to do something unsupported. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
Richard Pieri wrote: > Ubiquiti's...OS is proprietary... It's a Debian fork, 2-steps removed. (Fork of a fork.) Similarly iGuardian is packaging OpenWRT, which may or may not qualify as a fork. It might in the sense that they probably bundle binary blobs to support their hardware, which you are stuck with. Both provide root shell access without going through any hoops. With either one, adding 3rd party packages should be just a matter of installing them via apt-get or optware package managers. > and I have no idea how stable it would be after coercing it > to do something unsupported. I don't really have any information as to how well either vendor supports their platform if you start monkeying with the software stack. iGuardian in their FAQ seems to imply they would, but lets be real, they're a startup with limited resources, so if you complained something wasn't working, their first response is going to be to reset the device back to the factory software. I'd like to find an online community of EdgeRouter users to learn more about what real world problems and limitations those users run into. The only end-user info I've seen so far has been from a small number of product reviews. > Ubiquiti's hardware is pretty open... I wouldn't consider either to meet the definition of open hardware. To be open hardware you need to share the design (schematics), and use components that don't require binary blobs, and have all the chip specifications published openly so anyone can create drivers. The Raspberry Pi isn't open hardware, for example, though on the spectrum between open and closed, its closer to the open side. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] iGuardian "enterprise-grade" home router
On 9/30/2014 8:28 PM, Tom Metro wrote: Richard Pieri wrote: Ubiquiti's...OS is proprietary... It's a Debian fork, 2-steps removed. (Fork of a fork.) I could have sworn I saw Ubiquiti's literature use the word "proprietary" in there somewhere. Yep, it's in the packet acceleration chunk. Ubiquiti's hardware is pretty open... I wouldn't consider either to meet the definition of open hardware. Oh, by Ghu if you're going to quibble over open as in "run vanilla Linux on it" vs. Open as in "capital O Open" then I'm done. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
