VPN flood attacks questions
The small office I work at currently has an EOL Sonicwall TZ300 and is looking to switch over to a Firewalla Gold Plus. One for the lack of yearly fees behind a Sonicwall paywall, and two, for Wireguard VPN support for remote workers.
We have been having massive issues for the last few weeks with flood attacks driving up the memory usage of the Sonicwall, to the point it will disconnect all SSL VPN IPsec logins (Netextender client) and they generally cannot log back in until the firewall gets rebooted to clear the RAM leak. We believe this issue is related to this:
The Sonicwall forums are riddled with users with the same issue right now, regardless of Sonicwall model in regards to SSL VPN connections dropping with the memory issue. In some cases, Sonicwall has rolled out firmware hot fixes, and in some cases end users need to contact them and have a hot fix applied manually. Many of these users, us included have devices that are EOL and no longer have any firmware updates to address this.
Even beyond this issue, ever since we have had the Sonicwall, the SSL VPN has always been somewhat flaky due to the older IPsec protocol requiring an active connection. This routinely gets dropped, causing remote users to try and have to log back in, sometimes unsuccessfully until they reboot. Our thought is switching to a more modern Wireguard protocol that doesn't require active connection management, and sends the packets directly to the target IP.
We have an office of around 30 employees, and at any given time, up to 10-15 people are remoted in concurrently. Our questions are:
1. In the Ars Technica article listed above, many firewalls are listed experiencing this problem, Sonicwall being one of them. Firewalla is not listed, but it doesn't mean it's not affected. Has this specific threat been addressed via a patch block list (list available in article above). We would hate to switch over to this device and have similar issues we are having now with these flood attacks. Or is it a non-issue.
2. I've read Firewalla Gold allows up to 100 Wireguard connection profiles. We would never hit that number, but based on our current usage, (up to 10-15 concurrent connections), are people having any issues with Firewalla Gold Plus and Wireguard that should cause us to rethink purchasing?
Any other thoughts or comments are welcomed. Thanks for any feedback.
-
As far as I know, the attacks are very much towards SSL VPN's. Firewalla VPN server is WireGuard or OpenVPN, and both of these are authenticated using certificates. Certificates are a lot safer than user/password ... These protocols are also open-source
Firewalla Gold in beta mode can allow 100 WireGuard profiles, and production is 25. If you are heavy into remote work, the new Firewalla Gold Pro can encrypt at 2 gigabit via WireGuard.
-
Thanks for your response. I just saw the Gold Pro this morning, unfortunately it's not shipping for months, and we need a solution immediately. I looked at the comparison chart, and the Gold Plus can already do 500 Mbps via Wireguard, which is more bandwidth that we currently have anyway. Where we are located, there is only one local fiber ISP, and they charge ridiculous prices for business accounts for anything over 300 Mbps.
Is the production firmware limitation of 25 going to be raised to 100 at some point? Also, can you switch back and forth between production and beta without losing settings, or are you locked into one mode ore another?
-
At the moment, the production limit is 25; This is based on 25 users, each using roughly 20 megabits (encryption), adds up to roughly 500mbit. I believe we can create more, the limit is there so people don't over subscribe the VPN side and reduce CPU for the "security" part.
Yes, you can easily switch between beta and production.
Please sign in to leave a comment.
Comments
4 comments