Sonic Wall, FortiNet, Cisco, all the rest: aren't they supposed to be protecting their customers' networks?
SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix
SonicWall is warning customers of a critical vulnerability that was potentially already exploited as a zero-day. The bug affects SonicWall's Secure Mobile Access (SMA) line, specifically the SMA 1000 product. The company stated in an advisory on Thursday that a remote unauthenticated attacker could execute arbitrary OS …
COMMENTS
-
Thursday 23rd January 2025 18:41 GMT John Klos
SonicWall is still a thing?
With their comically bad approach to security - security through stupidity, I call it - I'm surprised that anyone still buys SonicWall.
From EOL'ing devices that are literally identical hardware to new devices, to charging for security updates even when still in warranty, to having tech support that tells us nonsense such as how we can't have arbitrarily long TCP connection timeouts because all TCP connections must expire quickly (let's assume we're not talking about past 2038 and just talking about connections that could live multiple days or weeks), about how ALL computers connected directly to the Internet will be compromised without firewalls, about how forging RST between machines communicating across local subnets is a FEATURE, is good and "improves security", about how VPNs are "complex" and SonicWall-to-SonicWall connections that don't work consistently is a "normal and expected" problem...
I have quotes saved from SonicWall support about all these things. They must be really good at marketing.
-
Thursday 23rd January 2025 20:40 GMT Nate Amsden
Re: SonicWall is still a thing?
I've been using Sonicwall as basically L4 firewalls and site to site VPN since early 2012 without much issue. Current firewalls go EOL next year that would make about 8 years of service for those Gen 6 units. I think their SSL VPN on the firewalls is no good (though usable for the most basic use cases). I remember evaluating their SMA SSL appliances many years ago and ruled them out right away as they lacked the ability to do full duo prompt integration (Sonicwall firewalls can't either). Their early Gen7 stuff was pretty buggy though seems better now. Gen5 was ok for me as well (my first exposure to Sonicwall).
For me initially Sonicwall was only going to be used as a site to site VPN, and speaking of marketing, the VAR I was working with at the time (knowing my use case of IPSec VPN ONLY) was trying to push Palo Alto firewalls to me at probably 4-6x the cost. PAN is a fine product but super overkill for only site to site VPN(and the suggested model had a fraction of the IPSec throughput of Sonicwall). I have since expanded use cases to layer 4 edge firewalls as well and they work fine in that regard, very few issues. I haven't touched their layer 7 stuff, assuming there are more bugs there.
As for long TCP timeouts, all depends on how long you want.. I don't think I've ever needed to set something for longer than an hour or two. I did work at one place where the network engineer set their Cisco ASAs to have ~1 week timeouts then struggled with semi quarterly firewall outages where they had to power cycle both firewalls to get them working again. Neither they, nor Cisco support were smart enough to do something as simple as check the state table, then realize hey those 500k entries are the limit of the hardware, then check the timeouts... after I joined and saw that happen I had him fix it, and started monitoring it, states never went above about ~2000 after that, and nobody complained that I recall. The original reason for the 1 week timeouts he said was people were complaining their sessions were being killed.
-
Thursday 23rd January 2025 21:08 GMT Anonymous Coward
Re: SonicWall is still a thing?
"how ALL computers connected directly to the Internet will be compromised without firewalls"
I remember turning on incoming-connection logging on my router 20 years ago. There were a couple attempts per minute to get to common Windows ports. ISTR reading that the average time for an unprotected XP machine (20 years ago!) that was net-accessible to be compromised was under 15 minutes. I have no reason to believe these things have changed.
-
-
Monday 27th January 2025 06:31 GMT harrys
Always wondered why peoples would choose this for their SME customers over pfsense?
First time I came across a sonicwall, looked at its pricing structure and thought jeez the monies i can save the customer with a vastly superior, but above all OPEN SOURCE, product
swapped over quite a few in my time
closed source ..... "sales tactic to maximize revenue by hiding technical debt" :)