[Discuss] iGuardian "enterprise-grade" home router

[tmetro+blu at gmail.com (Tom Metro)]

Richard Pieri wrote:
> Comparing his $150 box to a Juniper IPS that costs ten times as much (or
> more) is disingenuous.

I just want to clarify (for other BLU readers) that the "his" above
doesn't refer to Dan Geer. His interview and the iGuardian product are
unconnected, and only were mentioned in the same message due to being
covered in the same "This Week in Enterprise Tech" episode.

I agree that most comparisons between cheap gear and multi-thousand
dollar enterprise gear can be disingenuous. The cheap gear usually
offers some incomplete replication of the functionality of the
enterprise hardware. The relevant bit is whether it replicates the parts
you care about. There's always going to be some things the enterprise
gear does to justify its price, even if that's merely in the support
they offer.


> He lists frequent, easy updates as a feature yet it's an /embedded/
> system, an OpenWRT fork which, as we've recently discussed, isn't easily
> updated. I'd forgive a lot if his iGuardian were running a live OS the
> way that pfSense does but going embedded? That's a big strike against it.

You'll have to clarify what "embedded" means to you, and how that would
differ from pfSense running on appliance hardware.

The challenge in getting an embedded system to update are:

1. Having an organization to produce and QA (for the target appliance)
the updates in a timely fashion to maintain security. (Lacking in many,
if not most, open router firmware projects.)

2. Allowing the updates to be deployed to your hardware without first
performing your own QA.

If the company behind iGuardian hits upon a successful business model
and stays in business, then they should be able to make good on #1.
Though as Jim Gettys has explained in his talks, the financial
incentives usually aren't there to provide long term security updates
for low-cost routers. If I recall, iGuardian is claiming to be including
lifetime updates in that $150 price. That means after the initial batch
is sold, their revenue source could dry up, and that'll be the end of
the updates.

On #2, this is something most home owners would generally not be
concerned with, but the publicized situation where Cisco installed
updates automatically to home routers that altered its behavior in an
undesirable way might give them second thoughts.

The impression I get is that the majority of the updates they're going
to be supplying are new A/V rules for their deep packet inspection, not
actual code updates. If they're building on OpenWRT, then I wouldn't
expect the code updates to be any more frequent than what they upstream
project sees. The practical difference being they'll QA and package
those updates for automatic installation. I can see the appeal in that,
if you don't want to have to choose between running a stale router or
playing sys admin to keep it updated.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/