Another confused product from UniFi. Is it targeting home users or businesses? It looks like businesses from their web page yet feels very much like a better fit for home.
It only runs UniFi Network, so you have to buy more things, that also run UniFi Network, to get into any of their other products like Protect.
I like their stuff but lately a lot of their stuff feels just confused to me, like they don't know what they want to be.
I bought into their unifi ecosystem years ago. Separate devices, prosumer pricing, features and quality, single pane of glass.
... And I haven't upgraded anything since. Their new products are totally undirected, they aren't making items that are obvious and needed. Their software is falling behind and they just don't care.
Case in point: the usg pro 4 is years old but they havent released an updated affordable just-the-border device. Their new stuff like the dream machine, and now this, just isn't the right thing to replace what was there before. The VPN on there doesn't work with recent Android or iPhone, and they just don't care.
Adding even the most basic firewall rules is hard. The single pane of glass got a major interface overhaul, and they added a huge amount of hard-to-turn-off phone-home crap at the same time. Enshittification reigns supreme.
And don't forget other runty hardware like the poe ceiling lights and doorbell.
The company just needs to buckle down, make good stuff, fire the product astronauts, fix obvious major problems before adding pointless new features.
... Suffice to say, my next hardware refresh almost certainly won't be from this company.
I don't disagree, but since buying the UDM-Pro years ago, I feel like the software has gotten great. And recently, they've baked in Wireguard replacing L2TP.
Personally, I'd like to see more prosumer devices that support 2.5GbE/10GbE.
People always raise Wireguard as the end-all of VPN and yet its 2023 and there's virtually no way to deploy it in a business context.
InTune doesn't even list it as a supported VPN, and everything I see to deploy it suggests some kind of hack to bypass UAC for one specific app because the end-user software requires Admin permissions to startup and hook.
When we use L2TP with UDM Pro we get ~0.1Mbps across the wire from macOS and ~20Mbps across the wire with Windows, and yet the same VPN server running on a Mikrotik will easily achieve ~300Mbps. L2TP is so easy to deploy .. it's built into Windows and macOS. I wish they would just stop telling everyone to switch to WG and fix the performance issue that is clearly Unifi specific.
NB we are a business and our average spend for Unifi is $50K per year so we have a right to complain.
Isn't it normal that changing the destination of all of a system's network traffic would require admin permissions? Why does that make you think it's a hack?
It's completely reasonable that it requires admin permissions, but what I'm saying is that the other protocols (i.e. L2TP) that are built into macOS/Windows and mobile devices are integrated in such a way that they do not.
Most businesses never give their users admin permissions because it's a security can-of-worms, so for Unifi to push Wireguard for business doesn't make much sense. Happy for someone to point me at a turnkey Wireguard solution that just-works with InTune.
> InTune doesn't even list it as a supported VPN, and everything I see to deploy it suggests some kind of hack to bypass UAC for one specific app because the end-user software requires Admin permissions to startup and hook.
L2TP performance issues aside, I don't see how it's UniFi's fault that Microsoft's ecosystem is poor. I don't have many positive things to say about InTune.
Barely can break 350mbps with IDs and IPS enabled and starts getting buffer overload. I'm pretty sure Mikrotik had a faster router a few years before the usg4 hit the market for about the same price.
what unifi sold people on was cloud managed easy config and it just started working somewhat in the last version for me. Really feels like they need to triple down on the software front and beef the midrange hardware.
I just looked the other day - as I'm getting symmetric 2gb fiber in a few months and unifi has some wild high end router but it seems like it needs more on the CPU and ram front still, too. OpenSense here I come?
Without necessarily defending Ubiquiti's oftentimes-weird product lineup, IDS/IPS are basically useless, so there's not much point worrying about what they do to raw WAN speed.
I wouldn't say they went to shit, but their products moved away from what I wanted. I had an ER-X and APs and they worked well. I'd like an upgraded ER-X, but don't need a UDM. I ended up continuing to use my ER-X and use Eeros for the APs - got them super cheap on some Amazon deal.
Same here. I have a ER-X deployed to provide internet acces to a bunch of servers. I don't need any cloud service and stuff, just a router with some firewall and NAT.
My next product will be so ething else, because all the new stuff doesn't buy into the "KISS" anymore.
An updated ER-X with double the ports would be awesome. That's just not a market that ubnt seems to want to be in now. Cloud connected everything isn't something I want.
I just upgraded my networking and wifi and had the intention of going with unifi equipment rather than the consumer grade stuff. I was shocked to see that they don't have 2.5GbE or Wifi 6E options for their equipment.
They do have 2.5GbE through the dream machine special edition, also anything that is an SFE port you can put in a 2.5 or 10gbit ethernet jack if you need it. I get the general impression that they just want to go straight to 10gbit and not do 2.5gbit much.
But then you lose many of the benefits of a single pane of glass.
There's also the trust issue; the VPN problem has been known for years. If they won't maintain a key security component of their key security device, why would I trust them with anything?
They want to get income like a hardware store, but sell their product as if their value is software, that they then don't maintain because its not selling their latest hardware.
If you want to deploy a typical small office traditionally you’d have wifi, switching, routing, firewall, vpn. Typically some of this would be integrated into a single box (routing and firewall for example), but you have a bunch of different specialist bits of equipment to manage and interoperate.
This is unifi’s version of “we provide a one stop shop”, with your entire network managed through a single and of glass
You’re 10 years out of date. With certificate pinning the dubious benefits of breaking SSL and introducing major severity risk no longer works, far too many exceptions to manage
That’s…Not an accurate description of how things work in the real world. There are large enterprises out there with NGFWs that aren’t doing much TLS inspection.
Your average mom and pop business is more likely to have a wifi AP/router/NAT gateway combo from their ISP than something as feature rich as Unifi, let alone a real NGFW.
Every major company I’ve been at absolutely positively does NOT MitM their own traffic. They pay security people well enough to realize what a massive hole that creates in their security posture, and makes the intercepting appliance a cess pit of regulatory toxic waste. PCI, MNPI, even HIPPA from employees visiting their health insurance site? Check, check, check! All on a silver platter for insiders and hackers.
I can tell you for a fact, having worked at them in a senior executive technical role with responsibility for security, that at least the top banks do not do this, and definitely not tech giants like Amazon. I am certain others do - but this doesn’t make it a good idea. There are a lot of bone headed things that networking hardware companies convince deep pocketed customers to do that they shouldn’t. Creating the ability to intercept traffic means none of your communications are secure within their TLS tunnels because there exists a well known and discoverable single point of failure for literally all traffic in the network.
Finally URL categorization isn’t perfect, and you end up with a leaky solution that is again, as I said, a giant cess pit of regulatory toxic waste.
Several top banks ($20b revenue +) I've contracted at internationally do MITM most of their TLS traffic to the internet, either via transparent gateway or http proxy. As do top manufacturers, insurance companies, government agencies, etc. It is probably 60/40 MITM vs not in my experience. It's a pain.
We MITM traffic at places I've been at, including government/charities. If you truly have a 'NGFW' then you can easily configure it to not MITM traffic based on categories, like healthcare.
It's pretty easy when you have your own PKI infrastructure. Which is surprisingly manageable if you have decent people running active directory services. Which is usually the single source of truth for LDAP integrations with NGFW anyway.
You can do cool things like having corporate devices have their own machine certificates that enable an always on VPN to access central resources (updates, AD, etc.) and switch to a user profile certificate as soon as a user logs into the device to get VPN/firewall access to resources that user needs.
It solves the pre-pipping problem of sending out devices to remote workers without them having to login before hand to load their profile on the same network as AD. And it's secure.
The alternative is to go cloud and in-tune everything and use Entra id, etc. which seems more popular but you lose a lot of control in my opinion and have a massive attack surface because unlike on-prem AD, the cloud is just some amorphous blob that you can't lock down using the usual things like firewalls.
I'd say, based on my experience, that if there's an 'average' big corp, they do targeted TLS proxy: on most or all of their inbound traffic to hosted services and limited category by category decryption outbound. Yes, they are absolutely concerned about legitimate regulatory and privacy concerns, but they are also concerned about data being exfiltrated, phishing attempts, identifying malicious payloads, etc.
Pretty sure that is not true, almost every major security vendors recommends Deep packet inspection of unknown traffic (which requires Decryption)
Most of the time there are white lists that exempt huge amounts of known traffic to common SaaS services, and known company resources (like Health Insurance) traffic, but if it not a known service than that traffic should absolutely been decrypted and inspected.
It only runs UniFi Network, so you have to buy more things, that also run UniFi Network, to get into any of their other products like Protect.
I like their stuff but lately a lot of their stuff feels just confused to me, like they don't know what they want to be.