back to article SonicWall suggests people unplug their end-of-life gateways under 'active attack' by ransomware crims

SonicWall has warned that its older Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) gateways are being attacked in the wild by crooks to spread ransomware – and as some of those devices are end-of-life, don't expect any patches to protect them. In an emergency alert on Wednesday, the networking biz said …

  1. Dwarf

    Marketing opportunity

    They see it as a marketing opportunity for new stuff. Customers will simply look at the attitude of not protecting their business and go elsewhere.

    Bad plan SonicWall.

    The right thing to do is to go the extra mile and patch the problem so that customers think hey, they helped us, perhaps we should consider them for our next purchases.

    1. big_D

      Re: Marketing opportunity

      What? They are offering a free workaround until the customers can sort out a supported solution - either from SonicWall or from somewhere else.

      At least they are a) informing their customers and b) offering them a virtual solution to replace old kit that is out of support.

      I don't know what more they could do? If the kit is so old that it can't be upgraded (and in one case for over half a decade), why are the devices even still in use?

      We are talking about front-line security here, not an ancient CNC machine on the production line that can be isolated from the network, once it is out of support.

      1. Dwarf

        Re: Marketing opportunity

        @big_D

        The free option is a trojan horse - with the hope of the longer sale.

        Half a decade is also known as 5 years, its very common for people to keep kit for 4 years minimum. The throw away culture needs to stop. The standard EU expectation is that products last for 7 years.

        Precisely for the reason you indicated - perimeter security is exactly why the vendors need to stand by their products and ensure that they work for a long period of time. Other vendors manage it quite easily, so can SonicWall.

        1. big_D

          Re: Marketing opportunity

          The kit was end of support in 2015. That meant, it had been supported for however many years and was then end of lifed in 2015, so probably a few years after it went out of production.

          They didn't stop selling it in 2015, they stopped selling support and providing updates in 2015, so I'm guessing the kit is at least 8 to 10 years old.

          And, at the end of the day, of course they are hoping that the customers will accept the goodwill gesture and buy new equipment from them, but they won't not give it to them or suddenly give them an invoice, if they go elsewhere.

          And, if the customers are unhappy with the length of time the kit is supported, they should absolutely go elsewhere and look for kit with better support. But, if it is on the Internet (and doubly so, if it is providing your security perimeter), it needs to be in support and regularly patched! If it isn't in support and it isn't patched, you might as well stick up a sign saying "Fire Sale!" or "all you can eat buffett."

  2. Potemkine! Silver badge

    Planned obsolescence

    If a security equipment provider stops to update its products, be sure the next one we buy will be provided by somebody else.

    1. Mishak Silver badge

      Yep

      Exactly the sort of product for which updates should be mandatory well beyond "last sell". It's shocking that there are 2014 devices that are no longer supported - at the very least, from the environmental impact POV of have to replace and dispose.

    2. big_D

      Re: Planned obsolescence

      Every product has an end of life, especially in security, where ever more horsepower is required to cope with actual threats.

      It is annoying that the kit gets too slow and under-powered to keep up, but that has been the IT way for over 40 years.

      The question is, if people know the device that is keeping their network safe hasn't, itself, been safe for over half a decade, why is it still even online?

      It is a pain, but a fact of life, that threats keep improving and the security hardware has to constantly play catch-up. I don't like it, but I have to keep my company protected, so I have to calculate in the regular maintenance and replacement of security kit...

  3. Anonymous Coward
    Anonymous Coward

    SonicWall were good 20 years ago

    But then they just got greedy.

    I moved to a NetGate appliance 5 years ago (runs open source firmware) and have never looked back.

    1. Jeffrey Nonken

      Re: SonicWall were good 20 years ago

      They got bought out by, hmm, Dell I think? Soon as that happened I gave up on them. Around 10 years ago IIRC.

      Eh, my unit was already obsolete by then, so no great loss.

  4. Dan 55 Silver badge
    Devil

    So is this like WD My Book Live?

    Where customers who bought devices which were then EOL'd weren't told at the time that they're on their own because it's bad PR? Apparently it's better PR for the devices to get owned and their data lost a few years later.

  5. alain williams Silver badge

    "too out of date for SonicWall to patch"

    Not true, they still have the source code so they could patch but they do not want to as they would rather sell a new box.

  6. Santa from Exeter

    EOL

    Jesus people. All this bashing of SonicWall when these things went EOL *7 Years* ago!

    If you are still using Network Edge kit that went EOL that long ago you need to take a long hard look at your Security policies!

    1. Mishak Silver badge

      Depends...

      Why was it EOL'ed? Was it because:

      1) It is no longer capable of doing the job;

      2) The manufacturer didn't want to keep supporting it.

      Either way, they should be required to fix security vulnerabilities (a.k.a "defects") in products that are EOL where it can reasonably be expected that a significant number are still in service. We need to stop the creation of scrap when it can reasonably be prevented.

    2. alain williams Silver badge

      Re: EOL

      Jesus people. All this bashing of SonicWall when these things went EOL *7 Years* ago!

      When I have bought things I do not remember seeing something that says "This will EOL in 2022", or similar. But the EOL date is becoming increasingly important.

      Maybe the EOL date should be mandated to be big and obvious on the box & web site.

  7. Anonymous Coward
    Facepalm

    Stop it people

    If you read the article it specified the unpatched firmware version (8x) that is no longer supported. To quote SonicWall, "The exploitation targets a known vulnerability that has been patched in newer versions of firmware."

    If you had the budget to care about security, you would have already installed the the free firmware updates to version 9x and then to version 10x and you wouldn't be in this mess.

    It's not a "marketing opportunity" or "planned obsolescence". It's a red flag that security is not an install and forget business.

  8. JWLong Silver badge

    Snonic-Hole

    They don't support v.8 or less because they are cheap capitalist that want to sell more cheap shit for a major price increase.

    End of Story

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like