Juniper Branch Router - EOL

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Juniper Branch Router - EOL - Security Risk?

1 | 2

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15466

ID Verified

Trusted

Lifetime subscriber

#3205803 12-Mar-2024 18:41

I mean the question is asked and answered. If the OP doesn't like the answer, that's really on them to decide their comfort levels of risk. If your IT support, and that of many experienced IT Pro's here are saying you need to run a supported configuration, and you choose not too, then that's on you.

Not sure I would be happy to stand up in front of a customer who's data was compromised as a result of this and say you'd failed to take reasonable steps to protect their data.

jnimmo

1098 posts

Uber Geek
+1 received by user: 255

#3205856 12-Mar-2024 21:48

Of course, a supported router is only as good as the associated patching schedule. For example, there’s currently around 600 Fortinet devices in NZ [url= https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&tag=fortinet%2B&geo=NZ&group_by=geo&style=stacked] vulnerable to a 9.8 CVE which was published in early February. Ideally you want a product which will keep itself up to date with any security updates.

While it might not be high risk to run the EOL routers for a time with only IPSec exposed and locked down to the other peers, monitoring for any new vulnerabilities and applying manual mitigations (which might mean disabling certain ALGs etc), EOL devices have a tendency to get forgotten about, so certainly recommend a plan to replace them. There’s a ton that can be done LAN side as well to harden devices on the network so that even if a router did get compromised, it’s just not practical to move from there to the internal devices.

Having said that; do you even need site to site VPNs? Can you just provide branches with an internet connection and use Zero Trust network architectures to provide secure access to resources users/devices are authorised to access from any untrusted network connection?

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205864 12-Mar-2024 22:05

jnimmo: For example, there’s currently around 600 Fortinet devices in NZ vulnerable to a 9.8 CVE which was published in early February. Ideally you want a product which will keep itself up to date with any security updates.

And that's terrifying: https://www.cert.govt.nz/it-specialists/advisories/multiple-rce-vulnerabilities-affecting-fortios/

Fortinet are not doing themselves any favors by locking Firmware behind a paywall however. I'm also a Fortinet user myself (and patched) but I think it is irresponsible for any company to lock software updates of these sorts of products behind a support paywall especially if they're directly internet facing.

I've seen my fair share of pwned routers hence why I'm not one to leave a vulnerable router protecting you from the internet.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15466

ID Verified

Trusted

Lifetime subscriber

#3205872 12-Mar-2024 22:54

michaelmurfy:

And that's terrifying: https://www.cert.govt.nz/it-specialists/advisories/multiple-rce-vulnerabilities-affecting-fortios/

Fortinet are not doing themselves any favors by locking Firmware behind a paywall however. I'm also a Fortinet user myself (and patched) but I think it is irresponsible for any company to lock software updates of these sorts of products behind a support paywall especially if they're directly internet facing.

I've seen my fair share of pwned routers hence why I'm not one to leave a vulnerable router protecting you from the internet.

We are a Fortinet house and it disgusts me that firmware for SECURITY are behind a paywall. Registration, sure, I understand that, it's reasonable to be able to email you and pester you to upgrade, but to prevent a router from being patched is unacceptable.

It's on my list of things to do to personally email the CEO and make this point. I know it's likely not going to change their mind, but I'll feel better about having my say.

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205874 12-Mar-2024 23:06

networkn:

It's on my list of things to do to personally email the CEO and make this point. I know it's likely not going to change their mind, but I'll feel better about having my say.

Please do that. I've also made my voice heard here too but highly doubt it'll do anything considering they've added additional checks into 7.4.2 and onwards.

nztim

4013 posts

Uber Geek
+1 received by user: 2711

ID Verified

Trusted

TEAMnetwork

Subscriber

#3205881 12-Mar-2024 23:29

networkn:

We are a Fortinet house and it disgusts me that firmware for SECURITY are behind a paywall. Registration, sure, I understand that, it's reasonable to be able to email you and pester you to upgrade, but to prevent a router from being patched is unacceptable.

SonicWALL will even allow upgrade of firmware if its Zero Day CVE on an expired firewall.

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Dyson

Shop now for Dyson appliances (affiliate link).

nztim

4013 posts

Uber Geek
+1 received by user: 2711

ID Verified

Trusted

TEAMnetwork

Subscriber

#3205882 12-Mar-2024 23:31

michaelmurfy:

Fortinet are not doing themselves any favors by locking Firmware behind a paywall however. I'm also a Fortinet user myself (and patched) but I think it is irresponsible for any company to lock software updates of these sorts of products behind a support paywall especially if they're directly internet facing.

7.2 is not paywalled :)

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205883 12-Mar-2024 23:42

nztim:

7.2 is not paywalled :)

But 7.2 doesn't have the cool features that 7.4 has ;)

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15466

ID Verified

Trusted

Lifetime subscriber

#3205887 13-Mar-2024 00:04

michaelmurfy:
nztim:

7.2 is not paywalled :)

But 7.2 doesn't have the cool features that 7.4 has ;)

Like what? 7.4 isn't mature so we have dutifully ignored it.

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205888 13-Mar-2024 00:08

networkn:
Like what? 7.4 isn't mature so we have dutifully ignored it.

It's pretty stable now. I've been using it for 6 months. Just mainly new dashboard widgets along with a better firewall policy layout / performance mainly. To be honest I'm more being sarcastic and could easily go back to 7.2 as it is more WebUI improvements with 7.4.

nztim

4013 posts

Uber Geek
+1 received by user: 2711

ID Verified

Trusted

TEAMnetwork

Subscriber

#3205914 13-Mar-2024 09:05

Question, I wonder if you could boot the FG into safe mode and deploy firmware without maintenance.

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Dyson

Shop now for Dyson appliances (affiliate link).

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#3205926 13-Mar-2024 09:44

nztim:

Question, I wonder if you could boot the FG into safe mode and deploy firmware without maintenance.

Dump the configuration to a flash drive, TFTP flash it to later firmware and reload the configuration works but you need to reload the configuration.

We're quite off-topic now though :)

1 | 2