UniFi Disappointment Router?

The UniFi fanbois were aflutter when Ubiquiti released this video promoting an upcoming UniFi Dream Router:

It sounded like a substantial upgrade to the UniFi Dream Machine: WiFi 6, two ports of PoE, 128GB SSD, an SD slot for storage expansion, and the ability to run Protect and other Ubiquiti controllers that haven’t been available to UDM users due to the lack of storage.

Then it hit the Early Access store for $79. Huh?

Turns out it’s based on MediaTek’s MT7622 platform. Two slow ARM A53 cores vs four fast ARM A57 cores on the UDM. It’s not a Better UDM, it seems more like a move to bring the “UniFi Dream” vision to the entry-level consumer browsing the shelves at Best Buy.

At the software level, like the UDM Pro SE and UXG Pro that still remain trapped in Early Access, the UDR runs on Debian 9 and ditches the mutant Debian unifi-os container. Hopefully that brings a significant reduction in CPU utilization, because my own UDM Pro typically sits at 30-40% just running Talk and Network without IPS/IDS, and I’d expect that to translate to 75-100% on the UDR’s CPU.

Early reports are that the boot process takes upwards of four minutes, LAN to WAN routing is maxing out around 800Mb/s unidirectional and enabling IPS/IDS drops to around 500Mb/s. I don’t think the routing performance is a significant concern for people who’d buy this product at $79 (or $159) but hopefully there’s more optimization that can be achieved because line-rate ought to be table stakes in 2021.

Where I do think Ubiquiti has missed the mark is on the storage and promoting the UDR as running the full suite of UniFi controllers.

SD cards have a well-deserved bad reputation for reliability. These days there are many cards rated for continuous usage in NVRs but the Average Joe is going to buy the cheapest card on the shelves and there’s the longstanding problem of avoiding counterfeit cards.

They could have made the M.2 socket easily accessible for upgrades, though it’s understandable that they wouldn’t. For the target audience, external USB storage would be the best option and the MT7622 does provide a USB 3.0 host.

On the controller front, given the relatively low-performance CPU and 2GB RAM, promoting this device as running every UniFi controller just seems unwise. The Access and Connect markets shouldn’t be bothered by needing a $379 UDM Pro or $199 CloudKey Gen2 Plus, and while Talk on the UDR potentially has an interesting use case as a teleworker gateway, especially with the direction UID appears t be headed, at the moment Talk is a long way from being suitable for that purpose.


Longer-term, Ubiquiti needs to free these devices from the constraint of being locked to their on-board Network controller. The entry-level buyer whose needs eventually push them to a higher-level “UniFi Dream” router will be left with an attractive piece of e-waste because the onboard AP and switch can’t be adopted to their new UniFi Network controller.

I don’t love UniFi Threat Management and neither should you

When Ubiquiti put out the first Beta releases of IDS / IPS, I was surprised by the overall excitement of the enthusiast community. People were snatching up $2,000+ USG-XG-8s just to be able to use this feature without slowing down their WAN. Cheaper line-rate IDS / IPS has been a major force behind the UDM / UDM Pro hype train.

I am far less enthused, about IDS / IPS specifically and UniFi Threat Management in general.

My core issue: It’s Free.

Free is not inherently bad. I use lots of things that are free. Ubiquiti is built on lots of things that are free — VyOS, Linux, OpenWRT, hostapd. But security is different. Security is a process, not a deliverable.

Look at how Ubiquiti is offering security. Did they produce an IDS / IPS product? No, it’s just Suricata. Are they employing an army of security professionals to discover new threats, analyze alerts from their customers, produce new signatures? No, they’re just passing along the free rulesets that any Suricata user has the ability to use. Is Ubiquiti adding any value to Suricata alerts, such as making them easier to interpret or correlate? Heck no.

There’s a saying that If you’re not the customer, you’re the product. Does that apply here? Also, no. Enabling UniFi’s IDS/IPS isn’t passing any value back to the Open Information Security Foundation, the Suricata project, or any of their sponsoring organizations.

My other issue: What Ubiquiti is providing isn’t particularly good.

IDS / IPS: Suricata is purely signature based, like an antivirus program from 30 years ago… only worse. Most signatures are simplistic, prone to false positives, and the alerts they generate do not provide much context to decide whether they warrant further investigation or can be ignored. I’m not positive about this, due to the minimal information provided, but I think many of the alerts I’ve received are for traffic that the firewall was going to drop anyways.

There are many things Ubiquiti could be doing to add value to Suricata alerts — pruning rulesets and providing more context would be a great start — but that would require substantial investment.

Zeek (Bro) is generally considered better than Suricata, in that it’s focussed on flagging anomalous traffic instead of depending on signatures, but turning that into a user-friendly solution also requires significant investment.

DNS Filtering: I’ve previously written about this. In short, they’ve delivered an extremely simplistic filtering solution that depends on redirecting DNS traffic to an undisclosed 3rd-party. The manner in which they’ve implement filtering is unsuitable for a broad range of common DNS scenarios and they’ve provided zero control beyond choosing from the 3rd-party’s three filtering options.

It’s not worth using. Use PiHole and / or OpenDNS at home. Subscribe to Cisco Umbrella for business filtering.

Network Scanners: The Endpoint Scanner is basically a point-in-time nmap. No history, no correlation with UniFi’s Client History data. The Internal Honeypot is also extremely simplistic — it seems to alert simply on connection attempts to particular ports.

GeoIP Filtering: Hey, it does exactly what’s expected! I wish it did more tho. In particular, I might like to drop traffic from some countries to particular ports (VPN-related) but not others (HTTP / HTTPS).

IP Reputation: Tor blocking and Restrict Access to Malicious IP Addresses do what they say, tho again, it’s unclear what the information source is and if 3rd-party disclosures are involved.

Missing Features: Competing Unified Threat Management solutions generally have features that Ubiquiti isn’t (yet) providing: A/V scanning, HTTP / HTTPS interception, email filtering, data loss (PII / PHI exfiltration) protection, integration with Network Access Protection / Network Access Control systems, and more.


 

At some level it’s great that Ubiquiti is making security tooling available to users with less technical expertise or budget. What’s not great is those are the demographics who will read the marketing and believe they’re getting much more than is actually being provided.