Ubiquiti UniFi Security Gateway Firmware Release Notes: 4.4.50-4.4.51

Official Release Notes

Features

  • Added firmware support for netconsole configuration provisioned by the controller (using config under Settings–>Site).

Improvements

  • If IDS/IPS signature update fails for any reason an alert is now sent to the controller with information about the problem. Other improvements also made to signature update process.
  • Now limits permitted SSH MAC algorithms to OpenSSH’s most recent defaults, disabling some older options.
  • Switched speed test to speed.ui.com
  • Now supports latest hardware revision of USG3.
  • Changed certificate generation parameters for USG’s local web UI so it creates and maintains certificates in accordance with new requirements in macOS Catalina and iOS 13.
  • 4.4.51
    • PPPoE client security update fixes a vulnerability that allows an attacker on the same broadcast domain as your WAN to crash the pppd process, potentially allowing remote code execution.

Bugfixes

  • Fixed GeoIP signature updates.
  • Fixed crash in guest redirector service where a host header is missing in the request.
  • No longer makes unifi resolve to 127.0.0.1 when USG goes into self-run.
  • IDS/IPS signature updates triggered during bootup are delayed until internet connectivity is established.
  • Changed DDNS client configuration format to ensure credentials and hostname are used only with the associated provider.

Growing Up the Internet

Roger A. Grimes has written an interesting article for InfoWorld discussing the reality that relatively minor players can take down large segments of the internet and that many critical systems rely upon the internet. He suggests the only way to overcome these attacks requires an upgrade of the internet, not just piecemeal upgrades of various corporations or endpoints.

He recommends two strategies to accomplish this upgrade:

  1. Use of more secure methods of authentication to ensure traffic is being sent from legitimate sources to legitimate recipients.
  2. The creation of centralized services that would be able to analyze web traffic and determine when hostile attacks were occurring and inform other network entities about these.

Read the full article here.

Building Security

Resources on Building Security

If you are interested in securing physical buildings, this post is for you. I’ve assembled a few terms, a lot of vendors, and added various notes on their offerings. Also some resources at the end of the article for further exploration.

Some Basic Things to Note

  • Building Security can cover a number of technologies including:
    • Access Control – Who can get in and out of the building, through which doors, and when.
    • Intrusion Detection – Notifications when the building has been breached – e.g., a door has been forced open or a window has been smashed.
    • Cameras – Indoors and outdoors.

Vendors

  • Allegion
    • One of their brands appears to be Schlage.
    • Their consumer based site is more easily navigable, but doesn’t include the advanced features for commercial use.
    • Their Schlage AD Networked (Wireless) appear to cost around $1k each. They are meant for doors with a regular handle, not those usually associated with external entrances.
    • Also offers a line called ENGAGE.
  • ASSA ABLOY
    • Sargent Lock – Options don’t appear as robust as SALTO.
    • Yale Locks & Hardware
    • Under their own name offer PROTEC2 CLIQ, which appears to allow for programmable keys to be used with mechanical locks.
    • Also under their own name is Aperio, which is a wireless solution. It appears to be used as an integration into existing AC solutions rather than one on its own.
  • Bosch Security
    • Offers the AMC2 for 1-8 doors. There are then expansion cards which allow one to add additional doors, these cards can handle another eight or sixteen doors, depending on the model.
    • Offer a number of different types of card readers including proximity and biometric.
    • Their Access Professional software can manage up to 10k records.
    • Also has the Access Easy Control System which appears to be quite scalable.
    • Concluding Thought: Could be more IP / wireless / smartphone / etc. based.
  • Cloudastructure
    • An Access Control solution as a service, also provides video.
    • Pricing is per door for access control. Without a contract this is $16.50/mo. if paid annually.
    • Cost for hardware is $349/door without a BBU, or $699/door with a BBU.
    • You don’t have to use their cloud surveillance service with cameras, but if you choose to do so cost is $20.75/mo. per camera when paid annually.
    • Supports any readers that output in the Wiegand format.
    • Equipment is guaranteed for life.
  • CPI Security
    • Looks interesting, offers home and business systems.
  • Genetec
    • Impressive series of solutions.
    • Supports ASSA, SALTO, and Allegion locks (all provide wireless options).
  • Honeywell
  • IDenticard
    • Offers the PremiSys Access Control System
      • PremiSys LT – up to 8 doors.
      • PremiSys – up to 40 doors.
      • PremiSys Pro – unlimited doors.
        • Pricing on the site indicates cost is $3,495 for a single network license.
    • PremiSys includes smartphone access.
    • There is also a PremiSys NDE option which integrates with Schlage (Allegion’s) NDE locks.
  • Johnson Controls
    • Merging with Tyco.
  • Keri Systems
    • NXT System – Hardware, integrates directly with existing IP network.
      • PXL-500 is their legacy system.
    • Doors.NET – Software, written using .NET Framework and SQL Server.
      • Doors 32 is their legacy system. It is available as a free download.
    • Also has other solutions – e.g., telephone based access control, single door controller.
  • Keyscan Access Control Systems
  • Lenel
    • Offers integrated solutions for access control (OnGuard), video (Prism, Lenel NVR), intrusion, and fire.
    •  OnGuard
      • Has a self-service component allowing individuals to easily request new clearances.
  • ProdataKey (PDK)
    • Offers a wireless mesh access control system.
    • Requires a appliance which can be virtual or physical to access as the brains.
    • One can purchase single or eight door controllers, which communicate back to the central appliance.
    • Gateways allow for connecting multiple buildings.
    • They also sell repeaters to strengthen signal.
  • S2 Security
    • Offers Access Control Systems as well as Video Systems.
    • Access Control Systems
      • S2 NetBox – For up to 32 portals.
      • S2 NetBox Extreme – For up to 128 portals.
        • Has the ability to oversee multiple locations.
      • S2 NetBox Enterprise – For up to 7,000 portals, available in an HA configuration.
      • Also S2 Global.
      • Difficult to find pricing.
  • SALTO Systems
    • Offers several innovative product lines, integrates with Tyco’s Software House.
    • Biggest downside is that while there is smartphone as identity support, one has to launch and interact with an app to utilize it.
    • Another (possible) downside is that it uses ZigBee protocol. This means less energy consumption for wireless devices but also that it has to maintain its own network in addition to the wireless network.
  • Tyco Security Products
    • CEM Systems – Sells the AC2000 series.
    • Kantech – Offers “starter kits” that come prepackaged with necessary equipment.
      • Each enclosure controls 8-12 doors.
    • Software House
      • C•CURE is their overall system, integrating access control, security, and video.
      • iSTAR Ultra Door Controller – Controls up to 32 doors.
  • Vanderbilt Industries
    • Access Control Systems
      • lite blue – 2-8 door.
      • bright blue – 32 door.
      • SMS
    • Also carries security video.
  • Viscount Systems
    • Access Control Systems
      • Supposed to be “IT-centric”, doesn’t require “control panels.”
      • Allows for smartphone authentication.
      • This company looks fairly amazing, but what is the pricing?

Other Vendors

Resources

Firewalls

This document provides some resources on firewalls including terms, features to look for, and vendors.

Terms Not Defined Elsewhere

  • Stateful Firewall – Inspects protocols.
  • Next Generation Firewall – Inspections applications.

Vendors

  • Astaro
  • Check Point Software
  • Cisco Systems
    • Meraki
  • Fortinet
  • Juniper Networks
  • McAfee
  • Palo Alto Networks
  • SonicWALL

Features to Look For

  • VLAN Support – Ability to create VLAN’s to separate traffic.
    • Ubiquiti UnFi Security Gateway – Supports.
    • Meraki MX400 Security Appliance
  • IPSec VPN Support – Allows remote clients to establish a VPN connection to the network.
    • Meraki MX400 Security Appliance – Supports.
  • Site-to-Site Virtual Private Network (VPN) Support – Ability to create a VPN between two sites.
    • Ubiquiti UnFi Security Gateway – Supports.
    • Meraki MX400 Security Appliance – Supports.
  • Quality of Service (QoS) Support – Ability to prioritize some network traffic over other types of traffic.
  • Ports – How many ports will you need incoming and outgoing? Of what type?
    • Ubiquiti UniFi Security Gateway
      • 2x 1Gb RJ45 ports, 2x 1Gb RJ45/SFP Combination Ports.
      • 1x RJ45 Serial Port (Console).
    • Meraki MX400
      • 12x GbE.
      • 8x GbE (SFP).
      • 2x 10 GbE (SFP+).
  • Layer 3 Forwarding Performance
    • Ubiquiti UniFi Security Gateway
      • Packet Size of 64 Bytes – 2,400,000 pps.
      • Packet Size of 512 Bytes or Larger – 4 Gbps (Line Rate).
  • Processors/Memory/Storage
    • Ubiquiti Unifi Security Gateway
      • Dual-Core 1 GHz, MIPS64 w/Hardware Acceleration for Packet Processing.
      • 2 GB DDR3 RAM.
      • 4 GB Flash Storage.
  • Redundant Power
  • 3G/4G Modem Support
  • Recommended Maximum Clients
    • Meraki MX400 Security Appliance – 2,000.
  • Stateful Firewall Throughput
    • Meraki MX400 Security Appliance – 1 Gbps.
  • Advanced Security Throughput
    • MX400 – 1 Gbps
  • Maximum VPN Sessions
    • MX400 – 1,000
  • Layer 7 Application Type Filtering – Ability to filter traffic at the application level – e.g., P2P, video games, etc.
    • Meraki MX400 Security Appliance – Supports.
    • Ubiquiti Unifi Security Gateway
  • Content Filtering
    • Meraki MX400 Security Appliance – Supports.
  • Intrusion Prevention (IPS)
    • Meraki MX400 Security Appliance – Uses PCI compliant IPS which utilizes SNORT Signature DB from Cisco Sourcefire.
  • Antivirus / Antiphishing
    • Meraki MX400 Security Appliance – Uses Kaspersky.
  • Identity Based Security Policies and Application Management
    • Meraki MX400 Security Appliance – Supports.
  • Branch Gateway Services
    • DHCP
    • NAT
  • Web Caching – Cache frequently accessed content.
  • Load Balancing – Combines multiple ISP links into a single high speed source.
  • Warranty

Comparisons

 

Further Resources

Do We Really Need to Worry About Security?

Sometimes businesses don’t take security seriously, here are a few articles that might help you change your employer’s mind: