We are looking at upgrading our network equipment from old HP switches and Aruba access points, we have a Fortinet firewall that we are happy with, so we’ll probably keep using them there, but for the rest we are looking for new stuff.

And we are looking closely at Ubiquiti for switches and APs, but two things have appeared on our radar.

Ubiquiti does have a cloud admin UI, this means that Ubiquiti needs to have access to our network controller to access this feature.

But what if we don’t use that, will Ubiquiti still be able to access the network controller?

I guess that what I am asking is how does the access control work?

Also, updates, I see that they seem to be very frequent and also see some scattered reports that they have required admins to reset their configs and loosing camera footage, can you set updates to be delayed for X days?

  • zorflieg@lemmy.world
    3·
    2 days ago

    Buy the 5yr warranty extension. Yes you can delay updates/make them manual. If I were you and weren’t ready to give up the fortinet I’d double NAT it for a while, I think you’ll find the benefit of using the complete ecosystem will convince you to give up the fortinet even if there are a few features that fortinet do better.

    You can buy a firewall model that has the required controller built in requiring cloud connection or 2nd to that I’d setup a VM using the http://glennr.nl/ scripts as the controller. The scripts are reliable and capable.

    I used to run 3rd party, like Sonicwall, firewalls with Unifi wifi for a few years but recent improvements to their approach has made me switch to the whole eco system now and I prefer it.

  • RelativeArea1@sh.itjust.worksEnglish
    6·
    2 days ago

    most of their stuff are local, unless you have activated remote access on your unifi controller which will require an online account on unifi (ui.com)

    i only have their aps and my unifi controller is hosted on a local machine, and so far i haven’t found any suspicious queries from them, i havent done any packet trace or port checks because they seem ok for me

    where the unifi controller hosted on a deb machine

    one of the ap

    as for access control, if your unifi controller is hosted on a local machine then it will just use specific ports that ubiquiti utilizes that im not familiar with (or too lazy to do a port scan). you may also host your controller online via hostifi or other providers or a diy cloud server (if you’re onto that)

    for updates, unifi controller will notify you if there are updates but its still up to the controller admin if they decided to do so.

    as for janked device configs, i mostly experienced it on controller version 6.x.x and 7.x.x but not on most recent one (9.x.x) and yes it requires a unifi controller admin acct, you may also do scheduled backups of your configs so you can revert back just in case. and if you have no choice then you could locate device > poke reset > re provision on controller.

    • stoy@lemmy.zipOP
      2·
      2 days ago

      Thank you very much for a very thorough run down of the system, we are based in the EU and are trying to make sure that we have as few mandatory ties to US manufacturers as possible while running a modern IT system.

      We have thought about MikroTik and Extreme but our CTO wants us to investigate Ubiquiti as it has a nice web UI for all devices on the network which would be a big advantage for our small network.

      I will push for a small POC network or demo so we can get a better understanding of it.

      • RelativeArea1@sh.itjust.worksEnglish
        3·
        1 day ago

        Thats understandable and fair, some US/publicly traded companies are kinda nutsy nowadays.

        At first I was also drawn with Mikrotik but setting them up is a bit…yea, I’m not thrashing them, it just made me realize “do i really want to spend a lot of time setting this up?”

        but don’t get me wrong, they’re amazing. I’ve seen my cousin doing his ISP business with 1000+ clients using their CCR line up and the cost to perf ratio is crazy.

        • stoy@lemmy.zipOP
          1·
          2 days ago

          Yeah, I have a small Milrotik home router that I opened once, checked out Winbox for 15 min, realized I was WAY out of my depth and got an Asus router instead, this was about 8 years ago though, so things may have changed.

          At this moment we are not really big enough to justify a dedicated network tech, which is why Ubiquiti have caught our eye.

  • 𝕸𝖔𝖘𝖘@infosec.pub
    4·
    2 days ago

    Personally, I like unifi. I haven’t noticed any strange traffic from the APs or the controller (local). One note, though: always go with backwards compatibility (for example, if some of your APs can handle wifi6, but even just one can’t, turn wifi6 off for all SSIDs that are on both models).

  • redlemace@lemmy.world
    8·
    2 days ago

    I am using their WiFi at home. The AP’ have no internet access an I am self hosting the controller which also has no internet access. You can download the controller as a deb package on your PC transfer to the server and install or upgrade. I’m shutting the controller when I briefly open the FW for upgrading Debian. Don’t think they have info or control over my network

  • LifeCoffeeGaming@lemmy.world
    4·
    2 days ago

    Just a note we use Ubiquiti at our office with an on prem network controller so none of the devices talk to the cloud. However some of the nice to have features on the controller require a unifi gateway (router) to use, such as some of the web filtering. Double check which features require what before you commit.

    Honestly tho they’re such a step up from most enterprise bullshit I can’t complain.

  • Link@rentadrunk.org
    4·
    2 days ago

    I’m using Ubiquiti at home (a switch and an access point) and self host the controller too.

    You can disable automatic updates in the controller and then upgrade the firmware when you please.

    Regarding if Ubiquiti have access to our hardware a cloud account is optional so you can just use a local login to your controller instead.

  • bacon_pdp@lemmy.world
    24·
    2 days ago

    If you don’t flash custom firmware images on them that you built yourself from source code; then you have a massive backdoor that you can’t turn off. (Same goes for all other networking vendors, especially Cisco)

    • ramble81@lemmy.zip
      8·
      2 days ago

      Just note, this is the extreme interpretation of software in general (“if you don’t compile the compiler by hand it could insert a back door!”)

      For the purpose of your question, as others have stated you can run things isolated on your network with local accounts and not use their remote services (incidentally that’s how I run it)

      • bacon_pdp@lemmy.world
        04·
        2 days ago

        No, proprietary software by default is malware. Either currently active malware or will likely to turn into malware whenever they get the urge to increase their stock price by bricking your shit, extracting data from you or any other thing that they might choose to do to bump those numbers up.

        • stoy@lemmy.zipOP
          3·
          2 days ago

          That is a very idealistic way of looking at the issue, and I am very impressed if you have the skill and time to maintain your computer systems completely free from proprietary software.

          However, we do neither have the skill not the resources to follow that path, so while I agree with you on principle, reality does make those principles impossible for us to work under.

          • bacon_pdp@lemmy.world
            02·
            1 day ago

            My husband buys hardware which has excellent Linux support and by investing in quality products, he maintains a source code only home environment that I quite enjoy.

            • stoy@lemmy.zipOP
              1·
              19 hours ago

              I am sorry but this is an argument on par with a 5 year old saying “my dad can beat up your dad!”

              I am glad that you have an environment that works for you, but unless you yourself maintain it to the standard you set earlier, I find it difficult to take you seriously.

              • bacon_pdp@lemmy.world
                01·
                18 hours ago

                More like, I don’t discount the contributions of others who helped me. Having to expect everyone to be everything and do everything is such macho bullshit. When everyone works together and puts in the little help that they can, things you consider hard/impossible can be achieved in a rather short time frame.

                • stoy@lemmy.zipOP
                  1·
                  15 hours ago

                  Having to expect everyone to be everything and do everything is such macho bullshit.

                  Didn’t you say that everyone should only run software that they have access to the source?

                  This is litterarly what you sat on your high horse and yelled out that people should do, yet you decide that you don’t.

                  Not really consistent.

        • ramble81@lemmy.zip
          1·
          2 days ago

          I am curious how far you take that. Do you compile your own compiler? Do you have an open BIOS that you can truly audit. Do you know about every piece of firmware on your system and have you been able to audit that code too? Hell, let’s take it to its logical conclusion, how do you know nothing is actually embedded in the silicon? All of that could be malware and do every single thing you mentioned. At some point you either have to trust something (but who do you trust) or build it all yourself from scratch.

          • bacon_pdp@lemmy.world
            0·
            1 day ago

            Well my husband bought me a T500 which has libreboot installed along with Debian. He deals with that sort of stuff