Highlighted
New Member
Posts: 8
Registered: ‎04-21-2018
Kudos: 2

Updated USG Hardware - ARM Based - Improved IDS Performance

[ Edited ]

We have all read the rumours of a new UniFi USG; potentially based on ARM similiar to the new hardware that has been deployed for the Edge line.

 

Could we please get a potential ETA? Even if its an estimate?

 

The UniFi architecture is really nice; especially for the price. However; the USG is capped at 100-120 Mbit/sec with IDS on, the USG4 is capped at 250-350 Mbit/sec, and the cost for the USG-XG-8 is prohibative.

 

The other big issue is that the MIPS processor in the USG and USG Pro are not recommended for security products due to stack attacks via ELF.

 

Ubiquity is allegedly working on a replacement for the USG, and we need to plan for that day; we need communication.

 

I love your equipment, and either need to wait, disable IDS, deploy a PFsense IDS now, or consider another vendor. None of these options are appealing.

 

Please give us something to work with Man Happy

 

And thanks for the great work you've been doing.

 

P.S.

 

Could we confirm if MIPS security is an issue on the USG? If not; it mitigates the need to replace the USG somewhat.

 

Linux MIPS - A soft target: past, present, and future

https://cyber-itl.org/assets/papers/2018/Linux_MIPS_missing_foundations.pdf

 

Covered here:

 

Most home routers lack simple Linux OS hardening security

https://nakedsecurity.sophos.com/2018/12/20/most-home-routers-lack-simple-linux-os-hardening-securit...

 

Hopefully Addressed in this UniFi Forum Post:

USG Debian version End-of-life and other Security issues

https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Debian-version-End-of-life-and-other-Secur...

 

Thanks!

 

Karl

SuperUser
Posts: 6,141
Registered: ‎08-26-2009
Kudos: 1859
Solutions: 60

Re: Updated USG Hardware - ARM Based - Improved IDS Performance

The exploit mitigations those guys are talking about lacking with MIPS aren't much better with any other embedded Linux. Nobody wants to slow down their already slow embedded processors. Now you have Spectre mitigations like retpoline for ARM, and on the cutting edge, ROP guard compiler options (mainly targeting x86 right now). The embedded world is just avoiding these features completely.

 

Anyways, your main issue of improving IDS performance in these products relies on more vendors. Cavium made the accelerator features for the Octeon which is the heart of the Unifi IDS, the EdgeMax IDS, and many other products, such as Juniper SRX. Cavium is moving towards ARM now with the ThunderX.

 

The IDS speed today has much to do with Cavium's hardware acceleration features, not the CPU power, and the same would be true for ARM based chips. What you really want is a new and improved chipset in the UBNT product, don't confuse the rest of these issues with it!

SuperUser
Posts: 14,507
Registered: ‎12-08-2008
Kudos: 11286
Solutions: 693
Contributions: 1

Re: Updated USG Hardware - ARM Based - Improved IDS Performance

Check out the Dream Machine in the EA store - sold out right now, but is being talked about in the Forum.   ARM based, and should do 700Mb with IDS...

Jim

" How can anyone trust Scientists? If new evidence comes along, they change their minds! " Politician's joke (sort of...)
"Humans are allergic to change..They love to say, ‘We’ve always done it this way.’ I try to fight that. "Admiral Grace Hopper, USN, Computer Scientist
"It's not Rocket Science! - Oh wait, Actually it is... "NASA bumper sticker
"Just because you can do something doesn't mean you should."my mantra in the Programming classes I used to teach once upon a time...