Netgate SG-1000 microFirewall

Author Topic: Hardware best for post Meltdown  (Read 393 times)

0 Members and 1 Guest are viewing this topic.

Offline FranciscoFranco

  • Full Member
  • ***
  • Posts: 100
  • Karma: +8/-0
    • View Profile
Hardware best for post Meltdown
« on: January 20, 2018, 10:04:42 pm »
I see two boxes that all of a sudden I am interested in.
SG1000
SG3100
These are both Arm and it seems they have no Predictive Logic in the CPU and should be OK
Is that a fair reading?

Looking at Intels Micro Code Updates(MCU) they are not going back very far generationally and much hardware is SOL. They released an MCU batch in November so maybe there is going to be more coming. I doubt it.  I see someone asking about MCU for the C2xxx series and this is something I doubt will get updated.

Offline silentcreek

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Hardware best for post Meltdown
« Reply #1 on: January 23, 2018, 04:45:28 am »
If you are solely referring to Meltdown, then your reading is correct. But that would be shortsighted because there is also Spectre.

The SG1000 uses a Cortex-A8 SoC and the SG3100 is based on a Cortex-A9 SoC. Both are affected by the Spectre attack variants 1 and 2, according to ARM. They aren't vulnerable to Meltdown. But then again, there will be a fix for Meltdown coming to FreeBSD soon and pfSense will get updated when that's available (and tested), according to Netgate.

Nevertheless, on a router, I don't think you need to worry about Meltdown or Spectre. The attacks require malicious and specially crafted code to be executed. That is scary when you look at browsers through which any website can execute JavaScript code on your computer (unless you block JavaScript) or a multi-user environment where you can't be certain that another user on the system executes malicious code. But on a router you usually don't do that. Possbible attack vectors are quite limited there: Unless the web interface would be prone to cross-site scripting attacks or you giving SSH access to untrusted users, there should be no third-party code executed.

Offline FranciscoFranco

  • Full Member
  • ***
  • Posts: 100
  • Karma: +8/-0
    • View Profile
Re: Hardware best for post Meltdown
« Reply #2 on: January 24, 2018, 03:30:18 am »
Thanks for your input. What I worry about is that the POC was done with JavaScript but that does not mean other vectors are not available.

I do get your point about executables not running on a firewall. Attack vectors are limited. Agreed.