When Ubiquiti put out the first Beta releases of IDS / IPS, I was surprised by the overall excitement of the enthusiast community. People were snatching up $2,000+ USG-XG-8s just to be able to use this feature without slowing down their WAN. Cheaper line-rate IDS / IPS has been a major force behind the UDM / UDM Pro hype train.
I am far less enthused, about IDS / IPS specifically and UniFi Threat Management in general.
My core issue: It’s Free.
Free is not inherently bad. I use lots of things that are free. Ubiquiti is built on lots of things that are free — VyOS, Linux, OpenWRT, hostapd. But security is different. Security is a process, not a deliverable.
Look at how Ubiquiti is offering security. Did they produce an IDS / IPS product? No, it’s just Suricata. Are they employing an army of security professionals to discover new threats, analyze alerts from their customers, produce new signatures? No, they’re just passing along the free rulesets that any Suricata user has the ability to use. Is Ubiquiti adding any value to Suricata alerts, such as making them easier to interpret or correlate? Heck no.
There’s a saying that If you’re not the customer, you’re the product. Does that apply here? Also, no. Enabling UniFi’s IDS/IPS isn’t passing any value back to the Open Information Security Foundation, the Suricata project, or any of their sponsoring organizations.
My other issue: What Ubiquiti is providing isn’t particularly good.
IDS / IPS: Suricata is purely signature based, like an antivirus program from 30 years ago… only worse. Most signatures are simplistic, prone to false positives, and the alerts they generate do not provide much context to decide whether they warrant further investigation or can be ignored. I’m not positive about this, due to the minimal information provided, but I think many of the alerts I’ve received are for traffic that the firewall was going to drop anyways.
There are many things Ubiquiti could be doing to add value to Suricata alerts — pruning rulesets and providing more context would be a great start — but that would require substantial investment.
Zeek (Bro) is generally considered better than Suricata, in that it’s focussed on flagging anomalous traffic instead of depending on signatures, but turning that into a user-friendly solution also requires significant investment.
DNS Filtering: I’ve previously written about this. In short, they’ve delivered an extremely simplistic filtering solution that depends on redirecting DNS traffic to an undisclosed 3rd-party. The manner in which they’ve implement filtering is unsuitable for a broad range of common DNS scenarios and they’ve provided zero control beyond choosing from the 3rd-party’s three filtering options.
It’s not worth using. Use PiHole and / or OpenDNS at home. Subscribe to Cisco Umbrella for business filtering.
Network Scanners: The Endpoint Scanner is basically a point-in-time nmap. No history, no correlation with UniFi’s Client History data. The Internal Honeypot is also extremely simplistic — it seems to alert simply on connection attempts to particular ports.
GeoIP Filtering: Hey, it does exactly what’s expected! I wish it did more tho. In particular, I might like to drop traffic from some countries to particular ports (VPN-related) but not others (HTTP / HTTPS).
IP Reputation: Tor blocking and Restrict Access to Malicious IP Addresses do what they say, tho again, it’s unclear what the information source is and if 3rd-party disclosures are involved.
Missing Features: Competing Unified Threat Management solutions generally have features that Ubiquiti isn’t (yet) providing: A/V scanning, HTTP / HTTPS interception, email filtering, data loss (PII / PHI exfiltration) protection, integration with Network Access Protection / Network Access Control systems, and more.
At some level it’s great that Ubiquiti is making security tooling available to users with less technical expertise or budget. What’s not great is those are the demographics who will read the marketing and believe they’re getting much more than is actually being provided.
I feel that this is a bit of a “glass half empty” look at the UDM. If you are a big business and expecting a product without yearly fees to do everything that a product with yearly fees will do, you will be disappointed. Here is an alternate look at the Unifi Dream Machine Pro from another perspective. Features without yearly costs that you can’t find on other firewalls readily available to the home and small business community. On the standard home and small business routers where you aren’t paying a yearly fee like Linksys, Netgear, Trendnet, etc., they either don’t have IDS, IPS, category filtering, etc. or on some of the higher end versions they have subscription fees. With the ISP provided firewalls, you usually get a complete “black box” where you check the “protect me” box and trust that it’s doing everything you need. Neither of these are acceptable situation, the UDM Pro gives some basic protection out of the box that is “no additional charge” and can be customized with paid 3rd party products like Cleanbrowsing or Cloudflare. Is the basic set of functions perfect? No. Are they good? Yes. Don’t get me wrong, this is a good technical review comparing the UDM to features you will find in a firewall where you pay triple that in yearly fees. However, it’s not a balanced review of the product. Would I rather have a SonicWall TZ series firewall at home? Yes. Am I willing to pay $1,200+ a year for the Advanced support contract? No. I’ve only had my UDM Pro for about a week and really like it. Managing your Unifi equipment is a breeze, setting up VLANs is easy, setting up secure VLANs with limited access is easy, setting up guest networks is easy, enabling security features is a check-box, monitoring is easy, and the speed is as good or better than any other router I’ve seen in this price range. (i.e. about $400) All of that said, this is probably not for your average consumer who happily goes through a Linksys setup wizard selecting all defaults as this device with all of it’s functionality is a bit more complicated than your average <$200 home router. For a budget conscious mid-range firewall, the UDM Pro is an excellent choice.
Well, this wasn’t a look at the UDM. It was a look at what UniFi Threat Management offers and why I believe there’s no value to be found in using it. Actually, I think it’s straight-up harmful, as people will turn up all the knobs believing they’ve created “security” without understanding what they’re (not) getting. Network-based IDS/IPS, in particular, has become more useless by the day as the amount of unencrypted traffic it can inspect approaches zero.
I’m still running UniFi in both my homes. I still don’t turn any of those features on. I use CloudFlare for my exposed services, full appreciating that my free tier plan doesn’t provide much security in WAF terms but I do use my limited number of free custom rules for GeoIP blocking and some other low-hanging fruit. I use Pi-hole and OpenDNS and our kids’ devices are additionally filtered by a Circle. I’m messing with SIEMs. I’m on the prowl for home-affordable endpoint protection solutions that aren’t junk — I used to pay for Sophos Home Premium but threw in the towel years ago because it was too resource heavy and I found too many instances of “Something isn’t working, no events are showing in the central management, but disabling Sophos solves the problem.”
In the consumer router space, IDS/IPS was prevalent long before Ubiquiti started offering it. And it’s dumb for mostly the same reasons, however, they are generally using rulesets sourced from actual security vendors under commercial terms. Most can tick more network security boxes than UniFi. Netgear, I’ve noticed, includes endpoint protection software in their subscription suite — IDK if it’s any good, but it’s meaningful that a consumer-oriented product line has recognized that network-based security is no longer enough and stepped up to fill the gap.