 So let's talk real quick about firewalls and this question comes up a lot people always ask me is this firewall good Is that firewall good? The reality is they all are gonna need patches There's always gonna be something that they find that causes a problem that causes you to be patched So you have to make sure it's up to date That's one of the first rules about any firewall you get But you have the ones you can find at maybe a retail store like the netgears and link sys And then you have your more commercial ones like let's say Cisco juniper or 40 net And the question is a big Almost religious style debate of who has the best firewall and I always kind of lean towards believing that open source firewalls make for better firewalls because hiding things Doesn't work and that's one of the problems a lot of these companies do they don't have a good grasp on code Auditing I would guess someone thought it was a good idea to hard-code a password and that happens way more often than it should in 2017 and we'll run down some of the issues here So here's the neck here and there was a nasty unpatched vulnerability exposes neck you roused easy hacking and So there's a vulnerability for it and it turns out it doesn't require anything Authentication and people turn these into of course bot nuts Which means from the time the problem occurred all these people that have these installed and lots of small businesses are very at risk for this Their routers got turned into bot nuts because generally they have their friend install it They're not managed you're not managed by any type of security company And they're not being audited to make sure that they have a firewall that is properly patched Therefore they become part of the giant botnet and lots of home users are vulnerable to this as well Because they these companies I am not sure what they were thinking or not thinking security is hard I'm not a security expert in terms of writing code, but some things seem obvious and some best practices should be followed And now recently we have eris and this is a September of 2017 and we just found out that eris has been hard coding some passwords in there So apparently with a lot of the eris cable models provided by lots of the cable providers the default user remote SSH and 5s a p9 i2 6 was a valid username password Combination hard-coded into these and hopefully they have a firmware update by now that gets these Fixed, but they found three back doors in these things Anytime these companies anytime someone stops and go let's hard code a password into our device You're asking for trouble you're asking for a device that you know security through obscurity horrible idea It's 2017. We got to stop that practice So I don't know what came through their heads about this, but here's the other side of it. Here's 40 net A definitely commercial one. You're not going to find this on a shelf at Best Buy 40 net makes a commercial firewall. That's a very popular one. It's a strong firewall, but They hard-coded a password as well. I do like the fact that it's a higher entropy password So it is a lot longer than your usual at fgt abc 11 star xy plus qq z2 7 Okay, we got a better password and the username is 40 manager underscore access But why is it hard coded in there? This is just a horrible ideas. Good news is 40 net After it was disclosed with them they were able someone was able to get a patch out after it was Properly disclosed and apparently builds between 2012 and 2014 contained this now Unfortunately, there's probably some it administrator that is overburdened with his office and has not updated his 40 net from 2014 and this vulnerability still persists now Hopefully they don't have ssh open to the public But some of them do because they say I just want to be able to work on it from home So you have a compounding problem of security first 40 net decided to put a backdoor in there for convenience And then for convenience again, you probably have some it administrator going. I just want to work on it from home I don't want to vpn in and then get into it So a couple lapses in security and we have a major problem, but they're not alone Here's juniper firewalls and they found that they had a backdoor open since 2012 and they'll see this was published in 2015 So it's been a little while, but they released series of patches as well But back to why did they hard code this and this is what it comes down to with the firewalls You really need good support and then you need someone applying those patches for the supports These are things you can think about security now firewalls aren't the only way security breaches happen Matter of fact, the majority of security breaches are not from the firewall But they're from the users clicking on something on the other side of the firewall But it's still really important because when a vulnerability is found It is very quickly turned into an automated task that bots run around and install things So this has to come into your thought that if this attack occurs it escalates very quickly as it did here with the Netgear and turns them into bot nets that go around attacking more netgears with these default usernames and passwords This is one of the reasons I'm such an advocate for open source security I do not believe in security through obscurity. I believe in best practice I'm partial to pf sense because I've used it a lot. We deployed a lot for clients It works really well, but they're not the only open source company out there making good firewalls I think more of these firewall companies should be open source though because having people look at your code security practice such as hard coding a password for convenience Are not accepted in the open source world any major open source products, especially one like pf sense has gone through code audits They They will not allow something like that. They just know it would be embarrassing to have a submit And you're you're changing radical and we decided a hard code of password to make life easier for you That won't fly. I don't know why it flies in some of these other companies or who thinks that's a good idea But when you start developing things in a bubble in your own bubble of thinking I'm just going to use a really complicated password that way anytime we have to do testing, you know, it's conveniently there Uh, that's yeah, that won't fly in the open source world That's one of the reasons I'm such an advocate for open source firewalls pf sense and many others So I just want to share those thoughts on security. The good news is most of these vulnerabilities You know have been mitigated, but stop and think and stop and patch If you're using one of these uh consumer firewalls, especially Or if you're using the firewall provided by your cable provider Yeah, maybe they what makes it even scarred at them is sometimes they apply their own Updates and changes to the firewall We ran into that with some of the little comcast ones forcing the management port open On their firewalls and they don't do that now But some of the older models that was a discovered not around ability But it was an annoyance because you can't pass PCI compliance with it With it forced open and comcast that it was for management purposes, but most of these Firewalls or firewall combination kid modems that you get from Places like your cable provider can be put in bridge mode is what we do for our clients is bridge them over to a better firewall So this is less of an issue when we're not relying on the hopefulness that they update the firmware On on their system if a vulnerabilities found This is the goal is to keep everyone protected But you know my opinion back to open source That's kind of the way to go with this But no matter which one you go with please keep it patch keep it updated and keep an eye on that those updates Are very important So that's my little morning thoughts on firewalls here as i'm running through and looking for some seeing these vulnerabilities and these Eris modems and Deciding what needs to be done about them You know if it's something because we have a few clients with them You know, I just wanted to share my thoughts on firewalls in general and my always dumbfounderness every time I find out Another hard-coded password was put in because these companies apparently Think that's a good idea because I mean here in september 2017 We should not be hard coding passwords because someone will find them the internet's big and leaks go fast So if you like to count in here like and subscribe just want to share that with you guys and uh, thanks a lot