Routers, Firewalls, Open Source and You!

I recently read this article from Bitdefender regarding a study done by ACI about vulnerabilities found in consumer routers.  The study offers some good information and some bad information so I wanted to set the record straight!

You might be wondering why I, a provider of technology solutions for businesses, would care to comment and write a response article about something related to consumer technology.  The answer to that question is that many times I find that small businesses are using these consumer grade products because they are easy to get and they’re cheap.  These business have either been given the poor advice this this is OK or they’re simply uninformed.  So the purpose of my response is to better inform you!

First let’s look at the root of the issue.  All of the routers listed in the study are vulnerable to attacks because they are not patched properly by firmware updates from the manufacturer.  This is because the manufacturer isn’t supplying patches or the user is not downloading and applying the patches.  Additionally, the ACI study says that even some of the latest firmware from certain vendors failed to address existing vulnerabilities.  Meaning that even if you patched your firmware you’d still be open to attack.

So far so good, this all sounds pretty legit to me!  Unfortunately they digress…

The ACI study claims that the issues are also due to the manufacturer’s use of open source code.  The study states, “As vulnerabilities are found in open source code, the numerous router manufacturers may or may not take the necessary steps to patch these vulnerabilities when fixes become available.”  And, “Firmware is more and more frequently built on open source code, which is, as many believe, to be more prone to hacking.”  This last statement they’ve attributed to another article (*ahem*, opinion) from 2010 that suggest that “open source” = “an open door” for hackers.  The Bitdefender adds to that statement and says, “A reason for this is open access to the source code.”

This is where I have stop and disagree!  Open source is not an “open door” for hackers.  Blaming open source for the manufacturer failing to send out a patch related to an open source vulnerability is lazy.  Think of it this way…  A home builder (manufacturer) comes and builds you a house (router) for which you pay him and he hands you the keys and walks away.  A year later your shower (firmware) leaks (vulnerability) and needs an upgrade and you sit and wait for the builder to do it but he doesn’t so you blame him for your leaky (vulnerable) shower.  However, it’s not his responsibility.  It’s yours!  You can pay the builder for a new bathroom (router) or you can do it yourself (download the patch).  But don’t blame the builder.

Clearly open source is not the reason why these routers are vulnerable. The real issue is the lack of proper patching. Consumer based routers don’t automatically check for updates and what normal consumer user checks on their own? Very few.

Also, think about this.  Microsoft Windows, the world’s largest closed source platform, is constantly receiving security patches for known vulnerabilities so that hackers can’t get in.  Wait, what?  Let that sink in.  If open = vulnerable then why does closed = vulnerable too?

How does all of this relate to business and enterprise?  Well the same arguments exist in these realms.  IT firms that tout their loyalty to big brands frown on open source solutions citing the same open source = open door philosophy.

Let’s look at Microsoft again as I think they clearly qualify for business or enterprise class.  Wouldn’t you say?  Read this tongue in cheek yet very informative and factual article about Microsoft and open source.  The article states that, “Since 2002 they’ve had their #F compiler under the Apache (an open source web server) license and in 2009 they released Linux Kernel drivers so Linux would perform better on their hyper-v platform…”  In fact, as early as 1999 they were using Unix Services (more open source) in Windows NT.  Microsoft is making these moves to position themselves better for cloud computing compatibility.

Speaking of cloud computing, do you think Microsoft’s other major cloud competitors Google and Amazon would build their infrastructure on Microsoft’s Windows platform?  Surely not.  Do you think they would build their infrastructure on an insecure and easily hacked platform either?  Again, surely not.  Then why do these 3 giants of technology trust open source if it is such a hazard?  The answer is simply that open source is not a threat to their businesses.  Neither is it a threat to yours!

Now we’ll get back to routers since that’s where this article began.  More specifically let’s talk about firewalls or Unified Threat Management (UTM) appliances as some like to call them.  Businesses should not simply use a router they should be using a firewall to maximize protection.  But which one?  There are so many options and an expert for each that will swear their brand is the best.  Each of those experts will also say that an open source firewall or UTM is inferior because of its open nature.

This is what I meant earlier when I said that IT firms who are loyal to big brands like Cisco, WatchGuard, Dell SonicWall and others frown on open source solutions.  But the open source argument is silly because big brands all use open source in their appliances. These big names use open source code like ClamAV, Snort, BSD, Apache, OpenSSL and Linux kernels.  Read this article for more in-depth information.

So what’s the point?  First, as a business you should not be using consumer products you find on the shelf at a big box store or online.  You should be using a business class firewall.  Second, this expert says that a firewall or UTM is a commodity.  They all do the same tasks and, apparently, use a lot of the same methods and code!  So why pay more for the same thing?  For my clients I highly recommend and routinely implement an open source firewall solution called pfSense.  Not surprisingly it uses all of the technologies listed above and does the same job as the “big boys.”  Every instance of pfSense I have in operation is the Community Edition (gasp) because it’s free!  The client has to buy the hardware to run it on but the software and its functions are free.

Again I ask, why pay more?  The brands you’ve heard of all charge yearly ransoms, I mean fees, for updates and licenses to run the various functions of the firewall.  Not pfSense!  While there are features you can pay for (and paid support if you’d like) I have yet to need a licensed feature for pfSense.  Superpowers at no extra cost!

Please contact us if you would like to learn more about how open source can benefit your business!