Securing edge device systems, including firewalls, routers, and VPN gateways
12 comments
·February 4, 2025bigfatkitten
> 2. Procure secure-by-design devices
I take this to mean "don't buy Fortinet products."
https://www.cvedetails.com/vulnerability-list/vendor_id-3080...
oneplane
Yes, also Ivanti. And Palo Alto. And Cisco. And Dell (unless they spun that off already).
Most of the devices that rely on a scheme similar to inkjet printers (but with an even shorter shelf life) are going to be that way. This is because the money is not in the software, but in administrative choices (licensing, support contracts based on lifespan of hardware etc).
Since most deployment scenarios don't really need a proprietary ASIC to handle filtering, you'd almost universally be better off with a system that is built around generic white box hardware and an OS that is kept up-to-date. But that requires more knowledge and skills, and most people and companies would rather not invest in that for various reasons.
As for where you'd get your money's worth: it's mostly in the threat feeds. A well-tested, verified feed of known bad things (subnets, packet contents, behaviour) is much more useful than paying someone to keep a spare fan on the shelf so they can bring it to you "just in case".
bigfatkitten
The main thing the commercial players offer that open source doesn't do well is application level filtering. I want to be able to allow RTP across this giant port range but not just any UDP, or allow TLS exchanges with only certain SNI domains, not Cloudflare's entire address space.
If you want to do this, you need to select the least bad vendor.
In my experience, site categorisation is about the only 'feed' worth paying for.
guardiangod
You probably should stop buying your favorite brand Palo Alto Network then.
https://www.cvedetails.com/vulnerability-list/vendor_id-1283...
ai-christianson
Do you think we'd be any better off running SONiC?
oneplane
Yes, but you'd run that on your switch and not your edge devices.
Saris
And TP-Link, Ubiquiti, Asus, Linksys, D-Link, Netgear, etc..
I think the only good options are something flashed with up-to-date OpenWRT, or a PC running something like Opnsense.
arminiusreturns
Cisco was in that list too.
bigfatkitten
Cisco ships so many hardcoded creds that you rarely need a vulnerability.
UI_at_80x24
Anything that you can buy off the shelf is compromised.
I use OpenBSD on all my edge devices. It's not perfect but it is superior to 99% of everything else. That combined with poisoning the replies to nmap scans (fingerprinting) puts me in the 'much harder' to compromise category.
"Security through obscurity" isn't security. But "Don't be where your enemies expect you to be" is still good advice.
Also, relying on 1 layer of security is insanity. You need multiple layers, you need isolation.
puffybuf
I highly recommend OpenBSD for firewalls, vpn (wireguard), and other edge servers. It has served me well. I love how everything is organized.
We need a SOHO replacement for APU2 routers: x86 open schematic hardware with coreboot open firmware, ECC memory resistant to Rowhammer, TPM 2.0 and DRTM secure launch, fanless 6W TDP. PC Engines was a Swiss company with Taiwan manufacturing.
Since APU2 schematics are open, rebooting PC Engines as a US company could be initiated by US leadership requesting AMD to restart production of the ancient AMD GX-412TC SoC, until AMD can ship a Ryzen Embedded alternative with comparable power efficiency. Ryzen Embedded includes dual 10GbE.