Tag: security gateway

Ubiquiti UniFi Security Gateway Firmware Release Notes: 4.4.50-4.4.51

Official Release Notes

Features

  • Added firmware support for netconsole configuration provisioned by the controller (using config under Settings–>Site).

Improvements

  • If IDS/IPS signature update fails for any reason an alert is now sent to the controller with information about the problem. Other improvements also made to signature update process.
  • Now limits permitted SSH MAC algorithms to OpenSSH’s most recent defaults, disabling some older options.
  • Switched speed test to speed.ui.com
  • Now supports latest hardware revision of USG3.
  • Changed certificate generation parameters for USG’s local web UI so it creates and maintains certificates in accordance with new requirements in macOS Catalina and iOS 13.
  • 4.4.51
    • PPPoE client security update fixes a vulnerability that allows an attacker on the same broadcast domain as your WAN to crash the pppd process, potentially allowing remote code execution.

Bugfixes

  • Fixed GeoIP signature updates.
  • Fixed crash in guest redirector service where a host header is missing in the request.
  • No longer makes unifi resolve to 127.0.0.1 when USG goes into self-run.
  • IDS/IPS signature updates triggered during bootup are delayed until internet connectivity is established.
  • Changed DDNS client configuration format to ensure credentials and hostname are used only with the associated provider.

Ubiquiti UniFi Security Gateway Release Notes: 4.3.49, 4.3.60, 4.4.12, 4.4.18

From 4.4.12 to 4.4.18

  • Official release notes are here.

From 4.4.8 to 4.4.12

  • Official release notes are here.
  • Fixed crash in “mcad” when there were DHCP leases with hardware addresses longer than an actual MAC address.
  • Included more packages with debug symbols available to help diagnose crashes from submitted core files.
  • Fixed crash in ubnt-util.
  • Fixed crash in “redirector”.
  • Removed GeoIP back end because of variety of problems, will be reintroduced once these issues are fixed.
  • Fixed DHCPv6 client problem causing renewal failures in some circumstances.
  • Made DDNS back end updates in preparation for expanding DDNS support in controller.
  • L2TP VPN permitted encryption algorithms tightened to remove weak ciphers.
  • Made additions to UnIFi reporting back end for IPv6.
  • USG-XG-8 Specific
    • Made several display-related fixes and improvements.
    • Made improvements to fan control to reduce noise reduction when fans are operating at low speeds.
    • Made additions to Bluetooth backend.

From 4.3.49 to 4.3.60

  • Official release notes are here.
  • Implemented route metric changing on load-balance status changes.
    • Fixes WAN failover issues with L3 adopted USGs and improves multi-WAN failover functionality generally.
  • Fixed multi-WAN regressions in 4.3.46 to 4.3.49 picked up from EdgeRouter 1.9.7.
  • Implemented new local web UI on USG.
    • Fixes a variety of long-standing bugs with old UI and adds ability to configure LAN IP and DHCP server.
  • Updated ISC DHCP version.
    • May fix problems in some edge cases with multiple DHCP WANs and recovery after ethernet link loss.
  • Added back end for custom host-uniq for PPPoE.
  • Implemented fixes for some uses of multiple routing tables (only impacts some config.gateway.json VPN configurations).

From 4.3.48 to 4.3.49

  • Official release notes are here.
  • Updated additional load-balance components from latest EdgeRouter which fixed part of multi-WAN regressions in 4.3.46-4.3.48.
  • Fixed source NAT over-matching from port-foreward hairpin-nat.
    • Previously all traffic sourced from the LAN subnet leaving the LAN interface would be translated, now narrowed to match only port forward hairpin traffic.
  • Send PADT on PPPoE disconnect which fixes an edge case where PPPoE fails to reconnect when an ISP is using a buggy PPPoE relay that doesn’t detect loss of PPP session.
  • Added contiguous option to back end for firewall rule schedules.
  • Removed unnecessary character restrictions on site to site IPsec pre-shared keys.
  • Fixed “dpi.dpi_pktinfo_send(): failure to send UGW wevent” log spam.

Firewalls

This document provides some resources on firewalls including terms, features to look for, and vendors.

Terms Not Defined Elsewhere

  • Stateful Firewall – Inspects protocols.
  • Next Generation Firewall – Inspections applications.

Vendors

  • Astaro
  • Check Point Software
  • Cisco Systems
    • Meraki
  • Fortinet
  • Juniper Networks
  • McAfee
  • Palo Alto Networks
  • SonicWALL

Features to Look For

  • VLAN Support – Ability to create VLAN’s to separate traffic.
    • Ubiquiti UnFi Security Gateway – Supports.
    • Meraki MX400 Security Appliance
  • IPSec VPN Support – Allows remote clients to establish a VPN connection to the network.
    • Meraki MX400 Security Appliance – Supports.
  • Site-to-Site Virtual Private Network (VPN) Support – Ability to create a VPN between two sites.
    • Ubiquiti UnFi Security Gateway – Supports.
    • Meraki MX400 Security Appliance – Supports.
  • Quality of Service (QoS) Support – Ability to prioritize some network traffic over other types of traffic.
  • Ports – How many ports will you need incoming and outgoing? Of what type?
    • Ubiquiti UniFi Security Gateway
      • 2x 1Gb RJ45 ports, 2x 1Gb RJ45/SFP Combination Ports.
      • 1x RJ45 Serial Port (Console).
    • Meraki MX400
      • 12x GbE.
      • 8x GbE (SFP).
      • 2x 10 GbE (SFP+).
  • Layer 3 Forwarding Performance
    • Ubiquiti UniFi Security Gateway
      • Packet Size of 64 Bytes – 2,400,000 pps.
      • Packet Size of 512 Bytes or Larger – 4 Gbps (Line Rate).
  • Processors/Memory/Storage
    • Ubiquiti Unifi Security Gateway
      • Dual-Core 1 GHz, MIPS64 w/Hardware Acceleration for Packet Processing.
      • 2 GB DDR3 RAM.
      • 4 GB Flash Storage.
  • Redundant Power
  • 3G/4G Modem Support
  • Recommended Maximum Clients
    • Meraki MX400 Security Appliance – 2,000.
  • Stateful Firewall Throughput
    • Meraki MX400 Security Appliance – 1 Gbps.
  • Advanced Security Throughput
    • MX400 – 1 Gbps
  • Maximum VPN Sessions
    • MX400 – 1,000
  • Layer 7 Application Type Filtering – Ability to filter traffic at the application level – e.g., P2P, video games, etc.
    • Meraki MX400 Security Appliance – Supports.
    • Ubiquiti Unifi Security Gateway
  • Content Filtering
    • Meraki MX400 Security Appliance – Supports.
  • Intrusion Prevention (IPS)
    • Meraki MX400 Security Appliance – Uses PCI compliant IPS which utilizes SNORT Signature DB from Cisco Sourcefire.
  • Antivirus / Antiphishing
    • Meraki MX400 Security Appliance – Uses Kaspersky.
  • Identity Based Security Policies and Application Management
    • Meraki MX400 Security Appliance – Supports.
  • Branch Gateway Services
    • DHCP
    • NAT
  • Web Caching – Cache frequently accessed content.
  • Load Balancing – Combines multiple ISP links into a single high speed source.
  • Warranty

Comparisons

 

Further Resources