Figured out I'm going with an OPNSense router. I'm mainly concerned about security, and the BSDs have some of the most secure networking stack. They're almost paranoid about security. Just need to figure out the switch to pair with the router. Right now I'm trying to decide between Juniper and BSD Networks switches. Juniper is definitely well known, and they'll help me select their switch. I received a recommendation for BSD Networks. Think the guy might be an employee at BSD Networks. It's a rather small company. Can't find much on them. Does anyone have any experience with BSD Networks?
Anyone know if BSD Networks' switches are any good?
- Thread starter zara654
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
I definitely want a BSD based switch. The BSD kernel is way more secure than a Linux Kernel. Those developers are paranoid.
I bought a Cisco product, and found they collected a lot of customer information and have subpar security. Juniper is known for being BSD based, and has never had any documented backdoors built into their products as far as I'm aware. I basically asked on a tech support forum for switch recommendations, and Juniper was a common brand listed. I compared them to Cisco and it sounds like they have better performance and better security. Cisco just sounds like they're still around from getting tech people hired by corporations and the government.
I'm going with Juniper. I think the guy from BSD Networks was promoting his own company. I don't if they're legitimate, and would have to have an audit just to confirm there's no malware.
I bought a Cisco product, and found they collected a lot of customer information and have subpar security. Juniper is known for being BSD based, and has never had any documented backdoors built into their products as far as I'm aware. I basically asked on a tech support forum for switch recommendations, and Juniper was a common brand listed. I compared them to Cisco and it sounds like they have better performance and better security. Cisco just sounds like they're still around from getting tech people hired by corporations and the government.
I'm going with Juniper. I think the guy from BSD Networks was promoting his own company. I don't if they're legitimate, and would have to have an audit just to confirm there's no malware.
It's been a while but when I was following BSD, OpenBSD was considered the most secure OS in its default configuration out of the box. But not all BSDs are the same. I have not heard of BSD Networks but their current website's offerings don't appear to be enterprise focused. If you were to choose between the two, Juniper is probably the better choice. Be prepared to pay for it though. JunOS is based on FreeBSD, not OpenBSD, therefore the security you're attached to probably won't apply fully.
The one thing I don't like about JunOS is its multi partition file system brought over from FreeBSD. You're not supposed to power off the switch by pulling out the power. Instead, you need to properly shut down the system. If proper shutdown is not done, there may be an increased chance the file system will come up in an inconsistent state and you need to rely on the backup partition (slice). After booting from the backup slice (this is done automatically) you need to refresh the original slice with the current one otherwise if the backup goes bad you probably need to reinstall JunOS. Normally it's not a problem but if you're not home or you're managing remote sites and lose power, the potential for corruption will increase unless you have a good operational infrastructure.
Nowadays a switch's brand isn't as important as its features and cost. JunOS's commit model and syntax are elegant and powerful. It's a breath of fresh air compared to the Cisco model; but if you get almost anything else, you will be able to switch between all other vendors with relative ease.
At home I have an SRX firewall in production. I also have a handfull of EX switches, but they are part of my lab and not deployed in production.
The one thing I don't like about JunOS is its multi partition file system brought over from FreeBSD. You're not supposed to power off the switch by pulling out the power. Instead, you need to properly shut down the system. If proper shutdown is not done, there may be an increased chance the file system will come up in an inconsistent state and you need to rely on the backup partition (slice). After booting from the backup slice (this is done automatically) you need to refresh the original slice with the current one otherwise if the backup goes bad you probably need to reinstall JunOS. Normally it's not a problem but if you're not home or you're managing remote sites and lose power, the potential for corruption will increase unless you have a good operational infrastructure.
Nowadays a switch's brand isn't as important as its features and cost. JunOS's commit model and syntax are elegant and powerful. It's a breath of fresh air compared to the Cisco model; but if you get almost anything else, you will be able to switch between all other vendors with relative ease.
At home I have an SRX firewall in production. I also have a handfull of EX switches, but they are part of my lab and not deployed in production.
I need 24/7 up time. I can probably get a cheap UPS that shuts everything down in case of the rare power outage once every five years. Should I get a second switch for keeping this up?
I'd go with a cheaper option. But, I've heard a lot of these companies don't stay up all that long. Last I heard JunOS was based on HardenedBSD. No idea if that's still the case. Any of the BSDs is still more secure than Linux. Linus Torvalds takes obscure security risks for performance reasons, while the BSDs typically close those holes.
I'd go with a cheaper option. But, I've heard a lot of these companies don't stay up all that long. Last I heard JunOS was based on HardenedBSD. No idea if that's still the case. Any of the BSDs is still more secure than Linux. Linus Torvalds takes obscure security risks for performance reasons, while the BSDs typically close those holes.
What makes you think that BSDNetwork switches are actually based on modern BSD kernel/os? From a quick glimpse of their website, the product range seems extremely outdated (a switch with 4x10gig uplinks is labeled as brand new)
The product datasheet and manual links aren't working.
In short, I'd stay far away from this specific vendor.
Besides, switch Is hardly a place you should be overly concerned about security, even on layer3 switch.
The product datasheet and manual links aren't working.
In short, I'd stay far away from this specific vendor.
Besides, switch Is hardly a place you should be overly concerned about security, even on layer3 switch.
Going with one of these for the router. Going with a Juniper for the actual switch, as I'd like to expand to 100 computers and need the network to be reliable and fast. Juniper supports python scripting, and seems to be a good choice as I'm coming from a programming background. I just don't know how fast of a switch I need to not create bottlenecks for intranetwork transfers. I'll be running a TrueNAS backup server with multiple machines writing to it per hour. They'll be staggered, but if I have 100 computers that's still going to be demanding. I just don't want to under spend, and end up having to replace a bunch of networking hardware.
Cisco just doesn't seem like a good idea from a security stand point, and I bought an old switch of theirs for about $250, which they still support for another two months, and their GUI doesn't even work in a browser that's ten years old. Cisco has also expressed willingness to work with the government on backdoors, and such while not being legally required to.
Let me be clear: I think you put too much focus on what the underlying OS is on the switch.
Vendors can absolutely make any reasonably secure OS into a mess security wise.
Juniper is absolutely a decent vendor, but honestly I would not consider them any different than Cisco, they operate in the same "tier" so to speak.
The caveat here being that Cisco has a SMB line of routers, switches and what not, that I consider of lesser quality.
A thing to keep in mind, is that with Juniper and non-SMB Cisco switches you will need a paid subscription to get access to firmware updates.
In many cases (if not all) they also make it difficult to use switches bought on eBay and the like, by preventing subscriptions for used hardware.
Oh and for what it is worth, there have been a backdoor in Juniper firewalls:
www.schneier.com
Unless you have already made the order for the switch you want, I suggest you detail what kind of network you want to build, what it will be used for and what your requirements are. I assume with the combined minds here, we can help you validate your network design.
Case in point, since you need to connect more than 100 computers, I assume you need more than one switch?
Vendors can absolutely make any reasonably secure OS into a mess security wise.
Juniper is absolutely a decent vendor, but honestly I would not consider them any different than Cisco, they operate in the same "tier" so to speak.
The caveat here being that Cisco has a SMB line of routers, switches and what not, that I consider of lesser quality.
A thing to keep in mind, is that with Juniper and non-SMB Cisco switches you will need a paid subscription to get access to firmware updates.
In many cases (if not all) they also make it difficult to use switches bought on eBay and the like, by preventing subscriptions for used hardware.
Oh and for what it is worth, there have been a backdoor in Juniper firewalls:
Back Door in Juniper Firewalls - Schneier on Security
www.schneier.com
Unless you have already made the order for the switch you want, I suggest you detail what kind of network you want to build, what it will be used for and what your requirements are. I assume with the combined minds here, we can help you validate your network design.
Case in point, since you need to connect more than 100 computers, I assume you need more than one switch?
Yeah, I'm buying the Juniper from Juniper most likely. If they ever respond to my email to their sales department. This is a business expense. Any dime I give to them I can write off on my taxes. It sounds like with switches a lot of the manufacturers aren't very reliable. Also the Juniper backdoor is a defect in a number generator the NSA put in. That's different from Cisco literally working with the government to implement backdoors.Let me be clear: I think you put too much focus on what the underlying OS is on the switch.
Vendors can absolutely make any reasonably secure OS into a mess security wise.
Juniper is absolutely a decent vendor, but honestly I would not consider them any different than Cisco, they operate in the same "tier" so to speak.
The caveat here being that Cisco has a SMB line of routers, switches and what not, that I consider of lesser quality.
A thing to keep in mind, is that with Juniper and non-SMB Cisco switches you will need a paid subscription to get access to firmware updates.
In many cases (if not all) they also make it difficult to use switches bought on eBay and the like, by preventing subscriptions for used hardware.
Oh and for what it is worth, there have been a backdoor in Juniper firewalls:
Back Door in Juniper Firewalls - Schneier on Security
Unless you have already made the order for the switch you want, I suggest you detail what kind of network you want to build, what it will be used for and what your requirements are. I assume with the combined minds here, we can help you validate your network design.
Case in point, since you need to connect more than 100 computers, I assume you need more than one switch?
I'm making a cryptocurrency mining operation. Mining monero, also trying to get accepted into the validator program for Polkadot, running a node in a decentralized search engine. I'll also have a backup server I don't want to bottleneck. I should probably go a bit overkill on the router and switch, but I'm not planning on reaching the level of having a warehouse of hardware with thousands of computers. (at least not with this network) I don't know all of the operational expenses up front as I'm following an agile methodology. I just know I need a solid base for expanding out. So, I'm basically need the modern equivalent to the networking infrastructure Google had while they were starting out.
Eventually, I do need more switches. I think for now I can use regular unmanaged switches attached to the managed switch. I just need a switch for expanding the router out into multiple vlans at this point, and I'd like to future proof my network design for expansion.
As far as, I know there is not a decent open source switch out, yet, which I would prefer. That's why I was considering BSD Networks, since I think I could just install a BSD distribution. But, that doesn't seem like a reliable company.
With regards to the backdoor and such, I am not so sure I see it the same way, for one it seems to me to be more a matter of deniability, as it is Juniper can deny having assisted NSA in implementing the backdoor.
With regards to Cisco, I have not heard that they are helping in implementing backdoors, do you have any sources on those claims?
In any case, since we are talking about a crypto mining operation, it is hardly a known target for US state actors.
Your threat model should probably focus more on North Korean state and crime threat actors.
In terms of your plan to continue using unmanaged switches, I would probably prefer replacing them so you can segment each node out on its own network segment. But that is of course up to you and the budget you have. If you want to mitigate the potential issue, that someone can jump from one mining node to another given the right vulnerability etc., you could implement some good host firewall rules on the mining nodes, so they are only allowed to connect to what they need and only accept connections from your management node.
In any case, since you are being security focused, I suggest you ensure that the management interface of your network components are segmented out so only the computer used for management can access them, you really don't want that exposed to your servers and such.
Of course you should also generally look into how to harden the switch (turn off services you do not need and so on).
With regards to Cisco, I have not heard that they are helping in implementing backdoors, do you have any sources on those claims?
In any case, since we are talking about a crypto mining operation, it is hardly a known target for US state actors.
Your threat model should probably focus more on North Korean state and crime threat actors.
In terms of your plan to continue using unmanaged switches, I would probably prefer replacing them so you can segment each node out on its own network segment. But that is of course up to you and the budget you have. If you want to mitigate the potential issue, that someone can jump from one mining node to another given the right vulnerability etc., you could implement some good host firewall rules on the mining nodes, so they are only allowed to connect to what they need and only accept connections from your management node.
In any case, since you are being security focused, I suggest you ensure that the management interface of your network components are segmented out so only the computer used for management can access them, you really don't want that exposed to your servers and such.
Of course you should also generally look into how to harden the switch (turn off services you do not need and so on).
Yeah, that's what I'll be doing. Just using some unmanaged switches early on.
This is why I don't trust them, "The lawful intercept backdoor program." I'm less worried about governments, and more worried some hacker will find a way in through stuff like this. As far as, I'm aware Juniper is far less blatant.
Backdoors Keep Appearing In Cisco's Routers
Five different backdoors were found in Cisco's software this year, and Cisco's history with backdoors goes back many years.
www.tomshardware.com