Holy Shitsco

*using a different account for this to limit possible blowback

I just had a truly bizarre experience with a network security vendor and need to brain dump a bit.

Like many, I have a home lab that I use to keep up with emerging technology. I like to refresh my lab every 5-7 years and it just so happens that the Covid stuff was a perfect time for a refresh.

Along those lines I bought a brand-new shiny firewall (personal, not professional purchase). My intention was to use it as the default gateway for the lab and dhcp server for all the network segments. Also enable all the security filtering and app level security stuff just to experience it and be able to speak intelligently to it.

So, the DHCP server on this thing is laughably limited. It doesn’t allow reservations (what?!?!?) and doesn’t allow setting any DHCP options for NTP, TFTP, route insertion, etc. I just can’t believe this firewall from a tier 1 vendor is this brain dead so I start looking for answers and see that there is a full major version update of firmware available. So, I try to pull the firmware to see if it improves on DHCP services.

No dice, even with a valid brand-new registered firewall the support site won’t let me pull the firmware. I contact support and spend the rest of the day going back and forth. The answer I got from them completely blew my mind. The vendor will NOT provide firmware without a service contract except in cases where a major security issue is discovered.

I’ve got a few problems with that which I voiced:

-It creates an environment of diverse firmware levels across installs. While some may argue that this is a good thing, it is security through obscurity which is pretty universally accepted as a flawed security strategy.

-It encourages administrators to “let it ride” on updates for their first line of defense. They aren’t going to be constantly checking for updates if there is no expectation that updates will be available.

-Any product within 30 days of purchase should put its’ best foot forward by allowing the very latest and greatest version of that product to be used.

The vendor, as they tend to do, dismissed all of those concerns. Now, I try to be a straight shooter with my vendors. I wasn’t trying to throw my weight around and I intentionally left this part off until the very end of the conversation with the vendor because I need to experience how our vendors deal with our administrators without any special treatment. I happen to be the CTO for a very large state university in a very large state. I paraphrased all of the above back to the representative with the qualifier that, “I need to understand this and be clear on it because it will impact my recommendations for technology platforms professionally”. The vendor representative verified that all of the above was indeed the position of the vendor.

Realistically, the 1-year support license is about $100. It isn’t a huge deal, but the posture of the vendor is important. A security vendor is intentionally taking a position that makes their customers less secure, at least that is my opinion.

It just so happens that as a CTO I have been reviewing a $500k-ish conversion to this same vendors’ server offering. My official position up until now was, “the product is slightly more expensive but the technology stack is worth that expense”. That position changed to, “I think this vendor has lost their way on security and I have serious concerns about moving forward with their products”.

All I can say is, great example of penny ($100) wise, and a pound ($500,000) foolish. If you made it this far, thanks for listening and letting me vent.

TLDR; vendor doesn’t want you to be on the latest firmware for a week old security product unless you pay the support tax.