Jump to content

I’m confused about ubiquiti


Recommended Posts

14 hours ago, Adsibob said:

I thought about this momentarily, but quickly concluded I didn’t understand what the fuss was about. If somebody is invited into my home, why wouldn’ti trust them with my password.

 

It's not just about trusting the person, also trusting the device. If they bring a device that - unknown to them - has malware, having that on a separate network gives you a lot more protection.

 

Although of course it falls apart a little if you need to give them access to smart home stuff that's on the main network as although that can be solved the easiest and therefore most likely thing is you just give them the main network password.

Link to comment
Share on other sites

5 hours ago, andyscotland said:

 

It's not just about trusting the person, also trusting the device. If they bring a device that - unknown to them - has malware, having that on a separate network gives you a lot more protection.

 

Although of course it falls apart a little if you need to give them access to smart home stuff that's on the main network as although that can be solved the easiest and therefore most likely thing is you just give them the main network password.

Do your concerns about malware Apple to the Apple family of devices? I find that they are pretty immune to these kinds of threats, although I might be blissfully ignorant of the truth.

Link to comment
Share on other sites

On 13/02/2022 at 12:36, PeterW said:

I don’t buy the ubiquiti hype and went TP-Link and their OC200 Omada hardware controller. I know I can play around with the settings etc - it’s all via the app - but being able to mix and match the APs and add them using a 3D bar code is neat. They also have full mesh roaming and you can also create stuff such as guest WiFi on the fly. 

Can you limit access to local, do you have to have the cloud connected to operate it all? I am trying to ensure we don't have any, always on - always listening - always logging, external connectivity except though our bespoke pathway. (I appreciate that those that follow might want to use the proprietary stuff but while I am here I want none of it.)

Link to comment
Share on other sites

4 hours ago, Adsibob said:

Do your concerns about malware Apple to the Apple family of devices?

I have no concerns as I use the cheaper, and more easily fixed Linux and MS OS's.

 

I think the reason that Crapples seem less affected by malware and viruses is that the operators don't fiddle as they generally have no understanding of IT.  They like the very basic features on offer, and don't have the imagination to use any other applications.

 

List of Mac viruses, malware and security flaws

Wondering how many viruses exist for the Mac? Here is a list recent Mac malware attacks, viruses for Apple computers, and security threats that Mac users have suffered
  •  
  •  
  •  
  •  
  •  
  •  
Karen Haslam
Editor, Macworld JUL 22, 2021 6:32 AM PDT
apple-viruses.jpg?quality=50&strip=all&w
 
 

Despite Apple’s best efforts, Mac malware does exist, we describe some cases below. However, before you panic, Mac malware and viruses are very rarely found “in the wild”.

From time to time you will hear of big profile trojans, malware, and ransomware that is targetting the Windows world, very rarely is this a threat to Macs. For example, the WannaCry/WannaCrypt ransomware that bought the NHS to its knees in May 2017 was only targetting Windows machines and therefore no threat to Macs.

 

Luckily Apple has various measures in place to guard against such threats. For example, macOS shouldn’t allow the installation of third-party software unless it’s from the App Store or identified developers, as per the Security & Privacy settings, that you can access in System Preferences > Security & Privacy > General. If you were to install something from an unknown developer Apple would warn you to check it’s authenticity.

In addition Apple has its own built-in anti-malware tool. Apple has all the malware definitions in its XProtect file which sits on your Mac, and everytime you download a new application it checks that none of those definitions are present.  This is part of Apple’s Gatekeeper software that blocks apps created by malware developers and verifies that apps haven’t been tampered with. For more information read: how Apple protects you from malware

 

In 2020 malware on the Mac actually decreased, however, as you will see if you read on, Macs are not completely safe from attacks. To stay safe, we recommend you read our best Mac security tips and our round up of the best Mac antivirus apps, in which we highlight Intego as our top pick.

Another thing to note is that the M1 Chip that Apple started using in Macs in November 2020 is considered more secure than Intel processors. However, malware has already been found on the M1 Mac, dubbed Silver Sparrow we have more information below.

But if you are simply curious to know what Mac viruses are out there, or have been seen “in the wild” in this article we will endeavour to give you a complete list.

We’ll start off with a list of what Malwarebytes says were the top Mac malware threats in 2020. Apparently these accounted for 99% of Mac malware detections.

  • OSX.Generic.Suspicious 80.65%
  • OSX.FakeFileOpener 13.19%
  • OSX.ThiefQuest 1.96%
  • OSX.BirdMiner 1.37%
  • OSX.SearchAwesome 1.05%
  • OSX.FakeAV 0.74%
  • OSX.Honkbox 0.22%
  • OSX.Dummy 0.15%
  • OSX.Adwind 0.1%
  • OSX.KeRanger 0.1%

We’ll run through the above detections in the article below, but we’ll start off with the most recent Mac Malware.

XLoader

As we explain in Notorious XLoader malware now affects Macs – one of the most prevalent pieces of Windows malware has been confirmed to run on macOS.

 

Check Point security researchers claimed in July 2021 that a Mac version of the XLoader malware had been around for some time.

XLoader is a relatively new variant of the infamous Formbook, a program used to steal login credentials, record keystrokes, and download and execute files.

XcodeSpy

A Trojan hidden in Xcode projects in GitHub had the potential to spread among the Macs of iOS developers.

Once installed a malicious script runs that installs an “EggShell backdoor”. Once open the Mac’s microphone, camera and keyboard can be hyjacked and files can be send to the attacker.

The malware has been found in a ripped version of TabBarInteraction.

Read more here: New Mac malware targets iOS developers

Silver Sparrow

Security firm Red Canary discovered malware targeting Macs equipped with the M1 processor. The malware is dubbed Silver Sparrow, and uses the macOS Installer Javascript API to execute commands.

At the time of writing it’s unknown to what extent Silver Sparrow poses a threat. But worryingly, according to Malwarebytes, Silver Sparrow has already infected 29,139 macOS systems in 153 countries, most of the infected Macs are in the US, UK, Canada, France and Germany. It is unclear how many of these are M1 Macs. More details here: What you need to know about Silver Sparrow Mac malware.

Pirri/GoSearch22 

There is already adware targetting the M1 Mac. Based on Pirri and known as GoSearch22 it has been specially compiled for Apple’s ARM platform. Infected Macs will see unwanted adverts. More information here: M1 Macs face first recorded malware.

Generic.Suspicious

These accounted for more than 80% of cases, but rather than being one rampant case of malware, this is Malwarebytes name for any detection that was deemed to be suspicious behaviour. This could be an attempt to run concealed Python or a shell code, for example.

FakeFileOpener

Malwarebytes uses the name FakeFileOpener to describe apps that advertise PUPs (Potentially Unwanted Programs). These tend to be system optimizers. You might see a pop up suggesting that you don’t have software to open an app, for example, offering to help you locate such an app on the web. Or you might see a warning that you have been infected with a number of viruses inviting you to use an app such as Advanced Mac Cleaner, Mac Adware Remover or Mac Space Reviver.

ThiefQuest (aka EvilQuest)

ThiefQuest, which we discuss here: Mac ransomware ThiefQuest / EvilQuest could encrypt your Mac (Updated), was Ransomware spreading on the Mac via pirated software found on a Russian torrent forum. It started appearing in June 2020. It was initially thought to be the Mac ransomware – the first such case since 2017, except that it didn’t act like ransomware: it encrypted files but there was no way to prove you had paid a ransom and no way to subsequently unencrypted files. It turned out that rather than the purpose of ThiefQuest being to extort a ransom, it was actually trying to obtain the data. Known as ‘Wiper’ malware this was the first of its kind on the Mac.

LoudMiner (aka Bird Miner)

This was a cryptocurrency miner that was distributed via a cracked installer for Ableton Live. The cryptocurrency mining software would attempt to use your Mac’s processing power to make money. It started to appear in 2019.

SearchAwesome

OSX.SearchAwesome is a kind of adware that targets macOS systems. This malware was detected in 2018 and can intercept encrypted web traffic to inject ads.

FakeAV

This is a generic name for any type of malicious software pretends to offer antivirus for macOS.

GravityRAT

GravityRAT is an infamous Trojan on Windows, which, among other things, has been used in attacks on the military.

The GravityRAT Trojan can upload Office files, take automatic screenshots and record keyboard logs.

GravityRAT uses stolen developer certificates to bypass Gatekeeper and trick users into installing legitimate software. The Trojan is hidden in copies of various legitimate programs developed with .net, Python and Electron. We have more information about GravityRAT on the Mac here.

XCSSET malware

As of August 2020 this Mac malware is spread through Xcode projects posted on Github. The malware – a family of worms known as XCSSET – exploit vulnerabilities in Webkit and Data Vault. 

They seek to access information via the Safari browser, including login details for Apple, Google, Paypal and Yandex services.

Other types of information collected includes notes and messages sent via Skype, Telegram, QQ and Wechat. More information here.

OSX/Shlayer 

In February 2018 Mac users were being warned of a variant of adware that is infecting Macs via a fake Adobe Flash Player installer. Intego identifed it as a new variant of the OSX/Shlayer Malware, while it may also be refered to as Crossrider.

In the course of installation, a fake Flash Player installer dumps a copy of Advanced Mac Cleaner which tells you in Siri’s voice that it has found problems with your system.

Even after removing Advanced Mac Cleaner and removing the various components of Crossrider, Safari’s homepage setting is still locked to a Crossrider-related domain, and cannot be changed.

Malwarebytes warns: “If you see a message in your web browser telling you that Adobe Flash Player needs to be updated, it’s almost certainly a scam.” If you do need to install or update Flash visit Adobe’s website. Since 31 December 2020 Flash Player has been discontinued by Adobe and it no longer supported, so you can be sure that if you see anything telling you to install Flash Player please ignore it! You don’t need it because nobody is using Flash anymore.

It’s likely that you will come across the fake installer on BitTorrent sites, notes Intego.

Intego VirusBarrier detects the various apps that would be installed by the fake Flash installer. These include a Chumsearch Safari Extension, Advanced Mac Cleaner, MyShopCoupon+, mediaDownloader, and MyMacUpdater.

Unfortunately Shlayer does seem to keep reemerging. The most recent emergence wass a little worrying as it was appearing in Google search results.

Intego discovered this new Trojan had been specifically designed to circumvent MacOS Catalina’s security measures because it launches an installation guide that guides the user through the steps necessary to install it.

Intego reckons that one in ten Mac computers is infected with the so-called Shlayer virus!

You can read more about this incident here.

OSX/CrescentCore

This Mac malware was found on several websites, including a comic-book-download site in June 2019. It even showed up in Google search results. CrescentCore was disguised as a DMG file of the Adobe Flash Player installer. Before running it would check to see if it inside a virtual machine and would looks for antivirus tools. If the machine was unprotected it would install either a file called LaunchAgent, an app called Advanced Mac Cleaner, or a Safari extension.

CrescentCore was able to bypass Apple’s Gatekeeper because it had a signed developer certificate assigned by Apple. That signature was eventually revoked by Apple. But it shows that although Gatekeeper should stop malware getting through, it can be done.

Again, we note that Adobe ended support for Adobe Flash on 31 December 2020, so this should mean fewer cases of malware being disguised as the Flash Player.

OSX/Linker

OSX/Linker came to light in May 2019. It exploited a zero-day vulnerability in Gatekeeper to install malware. The “MacOS X GateKeeper Bypass” vulnerability had been reported to Apple back in February, and was disclosed by the person who discovered it on 24 May 2019 because Apple had failed to fix the vulnerability within 90 days.

OSX/Linker tried to exploit this vulnerability, but it was never really “in the wild”.

OSX/NewTab

This malware attempted to add tabs to Safari. It was also digitally signed with a registered Apple Developer ID.

NetWire and Mokes

These were described by Intego as “backdoor malware” with capabilites such as keystoke logging and screenshot taking. They were a pair of Firefox zero-days that targeted those using cryptocurrancies. They also bypassed Gatekeeper. backdoor” malware

CookieMiner

The CookieMiner malware that could steal cybercurrency was discovered at the end of January 2019. It was able to steal a users password and login information for their cyberwallets from Chrome, obtain browser authentication cookies associated with cryptocurrency exchanges, and even access iTunes backups containing text messages in order to piece together the information required to bypass two-factor authentication and gain access to the victim’s cryptocurrency wallet and steal their cryptocurrency.

Unit 42, the security researchers who identified it, suggest that Mac users should clear their browser caches after logging in to financial accounts. Since it’s connected to Chrome we also recommend that Mac users choose a different browser.

Find out more about CookieMiner Mac malware here.

Mac Auto Fixer

Back in August 2018 Mac Auto Fixer caused some concern among Mac users as it started popping up on Macs. It isn’t exactly malware, rather it’s what we call a Potentially Unwanted Program, which piggybacks on to your system via bundles of other software.

Find out more about it, and how to get rid of it, in What is Mac Auto Fixer?

Mshelper

In May 2018 cryptominer app mshelper was targeting macOS. Infected users noticed their fans spinning particularly fast and their Macs running hotter than usual, an indication that a background process was hogging resources. You can expect such crypto currency miners to become more and more prevalent.

MaMi

In January 2018, the OSX/MaMi malware was first noticed by a Malwarebytes forum user and reported by Hacker News.

In this case the malware routes all the traffic through malicious servers (those addresses), and that’s when it can intercept sensitive information.

The program installs a new root certificate to intercept encrypted communications, according to Former NSA hacker Patrick Wardle. Wardle says: “Attackers can perform a variety of nefarious actions such as man-in-the-middleing traffic.”

It can also take screenshots, generate mouse events, execute commands, and download and upload files, according to BGR.

Dok

Security analysis firm CheckPoint Software Technologies spotted a new OS X malware at the end of April 2017. Apple rushed to block it.  

The macOS Trojan horse appeared to be able to bypass Apple’s protections and could hijack all traffic entering and leaving a Mac without a user’s knowledge – even traffic on SSL-TLS encrypted connections.

OSX/Dok was even signed with a valid developer certificate (authenticated by Apple) according to CheckPoint’s blog post. It is likely that the hackers accessed a legitimate developers’ account and used that certificate. Because the malware had a certificate, macOS’s Gatekeeper would have recognized the app as legitimate, and therefore not prevented its execution. Apple has since revoked that developer certificate and updated XProtect, it’s malware signature system.

The attacker could gain access to all victim communication by redirecting traffic through a malicious proxy server, there’s more information about how the attack worked here.

OSX/Dok was targeting OS X users via an email phishing campaign. The best way to avoid falling foul to such an attempt in the future is not to respond to emails that require you to enter a password or install anything.

X-agent

Back in February 2017 X-agent malware was discovered that was capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on your Mac.

The malware apparently targeted members of the Ukrainian military and was thought to be the work of the APT28 cybercrime group, according to Bitdefender.

MacDownloader

In February 2017 researchers found the MacDownloader software lurking in a fake update to Adobe Flash (which as we said above has now been discontinued). When the installer is run you’ll get an alert claiming that there is adware on your Mac.

You’ll be asked to click to “remove” the adware, and when you enter your password on your Mac the MacDownloader malware will attempt to transmit data including your Keychain (so that’s your usernames, passwords, PINs, credit card numbers) to a remote server.

Luckily the threat seems to be contained for now: the remote server it the malware tries to connect is now offline.

The best way to avoid such attacks is to always check on Adobe’s site to see if there is an update to Flash you should be installing.

The MacDownloader malware is thought to have been created by Iranian hackers and was specifically targetted at the US defence industry. It was located on a fake site designed to target the US defence industry (so likely not yourself). In this case the phishing attempt would have been activated via a Flash file, and since Apple has stopped Flash opening by default, again this is unlikely to have affected you.

Fruitfly

According to a report in January 2017, Fruitfly malware had been conducting surveillance on targeted networks for possibly two years.

The malware captures screenshots and webcam images, as well as looking for information about the devices connected to the same network – and then connects to them.

Malwarebytes claims the malware could have been circulating since OS X Yosemite was released in 2014.

Pirrit

Back in April 2016 OSX/Pirrit was apparently hidden in cracked versions of Microsoft Office or Adobe Photoshop found online. It would gain root privileges and create a new account in order to install more software, according to Cybereason researcher Amit Serper in this report.

KeRanger

KeRanger is still appearing on Macs despite the fact that it is extinct – Malwarebytes notes that the malware is no longer capable of encrypting files. Malwarebytes theorises that the only reason it’s still popping up is that a handful of people are testing to see if it it still detected.

KeRanger is ransomware. Ransomware is, in general, a sub-category of malware that involves dodgy software sneaking itself on to your computer and then encrypting files against your wishes. You’ll then be left with two apparent options: never be able to access those files again, or pay the ‘ransom’ to decrypt them. (We discuss how to remove Ransomware here.)

For a long time ransomware was a problem that Mac owners didn’t have to worry about, but March 2016 saw the appearance of the first ever piece of Mac ransomware – KeRanger – distributed along with a version of a piece of legitimate software: the Transmission torrent client.

Transmission has since updated to remove this malware, and Apple revoked the GateKeeper signature and updated its XProtect system, but not before a number of unlucky users got stung.

Palo Alto Network’s Claud Xiao and Jin Chen explain how KeRanger works: “The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to be still under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their backup data.

“Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.”

How to remove or avoid Mac malware: Update Transmission to avoid KeRanger ransomware on OS X

Safari-get

In November 2016 security company Malwarebytes started documenting Mac-targeted denial-of-service attacks originating from a fake tech support website.

Like many Mac-targeted attacks, it depends on ‘social engineering’ or user error: you click a link in an email, and the malware is smuggled on to your Mac. This then triggers the attack.

There are two versions of the attack; the one you get depends on your version of macOS. Either Mail is hijacked and forced to create vast numbers of draft emails, or iTunes is forced to open multiple times. Either way, the end goal is to overload system memory and force a shutdown or system freeze.

Do Macs get viruses? | Do Macs need antivirus: safari-get scam website

(In fact, the real end goal is to get you to call a bogus Apple support number, whereupon you will presumably get charged to hear a fake solution by the people who caused the problem in the first place.)

You can avoid this issue, fortunately, by updating macOS: Malwarebytes suspects that Sierra 10.12.2 includes a patch for this, since up-to-date machines were not affected by the problem in testing.

SSL , Gotofail error

This caused issues for Mac users back in 2014. The problem was with Apple’s implementation of a basic encryption feature that shields data from snooping. Most websites handling sensitive personal data use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which establishes an encrypted connection between a server and a person’s computer so that snoopers cannot read the traffic and extract information like credit card numbers or log-in credentials. If an attacker intercepts the data, it is unreadable.

However, Apple’s validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. There was an extra Goto command that hadn’t been closed properly in the code that validated SSL certificates, and as a result, communications sent over unsecured Wi-Fi hotspots could be intercepted and read while unencrypted. This could potentially expose user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. Criminals could also supply fake data that makes it appear an authentic web service has been cryptographically verified.

These kinds of attacks are known as a man-in-the-middle attack and it is a form of eavesdropping in which a hacker makes an independent connection between a client and its destination server. The hacker is then able to relay messages between them, making the client and server believe they are talking to each other over a private connection.

In order for this type of attack to be possible, the attacker would have to be on the same public network.

Apple quickly issued an update to iOS 7 and iOS 6, but took longer to issued an update for Mac OS X, despite Apple confirming that the same SSL/TSL security flaw was also present in OS X. Read more about the iPad and iPhone security flaw here.

Apple said it had a fix ready for OS X and would release it “very soon”. The fix came late the following night.

Mac Vulnerabilties

Not every Mac vulnerabilty is exposed, but it is these vulnerabilities that criminals use to hack Macs. Here we’ll run through some particularly concerning cases:

Meltdown & Spectre

In January 2018 Apple confirmed that Macs, iPhones and iPads were affected by flaws in Intel chips.

Apple was one of a number of tech companies affected. The company highlighted that: “These issues apply to all modern processors and affect nearly all computing devices and operating systems.”

The Meltdown and Spectre bugs could allow hackers to steal data. Meltdown would involve a “rogue data cache load” and can enable a user process to read kernel memory, according to Apple’s brief on the subject.

Spectre could be either a “bounds check bypass,” or “branch target injection” according to Apple. It could potentially make items in kernel memory available to user processes. They can be potentially exploited in JavaScript running in a web browser, according to Apple.

Apple issued patches to mitigate the Meltdown flaw, despite saying that there is no evidence that either vulnerability had been exploited.

Apple advises that the best way to protect yourself from these vulnerabilities is to only download and install apps from trusted sources. The company states: “Exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”

Zoom vulnerability

Zoom is a video conferencing app and in June it was revealed that it was possible for users to be added to video calls without permission and the Mac webcam activated.

This was also a “Zero-day” threat, where the vulnerability had been discovered in advance, and the developer who made the software notified, but after failing to act within the alloted 90-days, the vulnerability was publicised.

According to Zoom the vulnerability was theoretical. However, it could have lead to those people who used the Zoom platform for video conferencing (which includes a fair few companies as you’ll see from the post below) having their web cam accessed.

Following the public disclosure of the vulnerability both Zoom and Apple addressed the vulnerability. Read about How to stop people from accessing your MacBook webcam here.

Word macro viruses

PC users have had to contend with macro viruses for a long time. Applications, such as Microsoft Office, Excel, and Powerpoint allow macro programs to be embedded in documents. When these documents are opened the macros are run automatically which can cause problems.

Mac versions of these programs haven’t had an issue with malware concealed in macros because since when Apple released Office for Mac 2008 it removed macro support. However, the 2011 version of Office reintroduced macros, and in February 2017 there was malware discovered in a Word macro within a Word doc about Trump.

If the file is opened with macros enabled (which doesn’t happen by default), it will attempt to run python code that could have theoretically perform functions such as keyloggers and taking screenshots. It could even access a webcam. The chance of you being infected in this way is very small, unless you have received and opened the file referred to (which would surprise us), but the point is that Mac users have been targeted in this way.

Mac users should still be fairly safe from macros thanks to a warning that appears on the screen should a user attempt to open a document containing macros.

For more information about how Apple protects your Mac from security vulnerabilities and malware read: Do Macs need antivirus software.

  • Sad 1
Link to comment
Share on other sites

I have similar requirements to @Adsibob and will likely follow @JonJump advice and fit an unmanaged switch in front of my router with 2 decent ceiling mounted wireless access points.

 

Currently looking at switch options and it seems that most 19" rack mounted POE options are all managed. Is that the case?

I'm looking for 24 port total but only really need a handful POE.

 

Currently have all 16x cat6 terminated and patched ready for the next step..

 

 

IMG_20220519_223854.jpg

  • Like 1
Link to comment
Share on other sites

I really need to just get on and buy this. Anybody recommend any good websites that have a good idiot proof guide to the ubiquiti kit? Still struggling to find the right switch. 

Link to comment
Share on other sites

The confusion prevails. Was about to purchase two ubiquiti in wall APs, as recommended by @Nickfromwales , and a switch and on the ubiquiti website I come across the below  infographic which suggests I also need a “Unifi OS Console”. Do I and if so what the hell is it and why are the others on here managing without one?

 

9586759F-B41F-47D1-B30F-D01977FFBF4B.thumb.jpeg.8d35ed22ec618d6dca396acb448c13b0.jpeg

Link to comment
Share on other sites

8 hours ago, Adsibob said:

Do your concerns about malware Apple to the Apple family of devices? I find that they are pretty immune to these kinds of threats, although I might be blissfully ignorant of the truth.

 

Yes, broadly, although it is probably less prevalent than on Android etc due to the Apple app store review process. However it's not infallible.

 

Third-party apps is one major route of compromise but another big one is older devices that have not been patched with more recent security updates. Apple's very hard cutoff for supported device/software versions can be an issue there as there will be people (e.g. older relatives) with old devices that appear to be working fine, say "this is up to date" when you check for updates, but in fact have not been patched for years. It's quite common that exploits rely on vulnerabilities that have been widely deployed but only semi-recently discovered.

 

To be honest though in a normal home network I would probably worry more about security of "internet of things" devices (some of which are woefully bad out of the box) more than a visitor's phone of any brand.

 

Edited by andyscotland
Link to comment
Share on other sites

On 25/06/2022 at 16:59, Thorfun said:

@Adsibob. have you thought about guests? the managed switches give you the ability to configure a guest wifi VLAN so that when people come to visit you don't have to give your private network wifi password and give them a guest password that you can then easily limit bandwidth for and it also keeps them separate from your private network for security.

 

it's little things like that that are often overlooked when going for the cheaper/simpler options.

 

Really? My 10yr old  cheapo pos netgear wifi router  had very reasonable support for a guest SSID with isolated networks.

Google/Nest Wifi certainly does support the, I struggle to imagine any contemporary mesh wouldn't support this??

 

https://kb.netgear.com/31579/How-do-I-set-up-a-guest-network-on-my-Orbi-WiFi-System

https://www.tp-link.com/us/support/faq/1460/

 

The benefit of doing this in a managed switch is you can have guest VLANs a even on the wired network, and then use 802.1X authentication on trusted devices, and any rogue unauthenticated device that is plugged into an RJ45 gets dumped onto an isolated guest VLAN. But honestly life is too short to be messing about with machine certificates on a home network, anyone that is doing this more power to you.

Edited by joth
  • Like 1
Link to comment
Share on other sites

14 hours ago, Adsibob said:

The confusion prevails. Was about to purchase two ubiquiti in wall APs, as recommended by @Nickfromwales , and a switch and on the ubiquiti website I come across the below  infographic which suggests I also need a “Unifi OS Console”. Do I and if so what the hell is it and why are the others on here managing without one?

 

9586759F-B41F-47D1-B30F-D01977FFBF4B.thumb.jpeg.8d35ed22ec618d6dca396acb448c13b0.jpeg

 

Why do you need an expensive Ubiquity switch? I would've thought a cheaper unmanaged alternative would suffice and then add the Ubiquity WAP's

Link to comment
Share on other sites

52 minutes ago, willbish said:

 

Why do you need an expensive Ubiquity switch? I would've thought a cheaper unmanaged alternative would suffice and then add the Ubiquity WAP's

I thought that if i'm forking out £350 for two market leading APs it makes sense to get a decent switch from the same manufacturer. Won't that assist with managing it all from the ubiquiti app, or is that not required for compatibility with the app? 

I have no real idea about any of this. Way over my head.

Link to comment
Share on other sites

3 minutes ago, Adsibob said:

I thought that if i'm forking out £350 for two market leading APs it makes sense to get a decent switch from the same manufacturer. Won't that assist with managing it all from the ubiquiti app, or is that not required for compatibility with the app? 

I have no real idea about any of this. Way over my head.

 

in for a penny, in for a pound 🙂

I do understand your logic. I know some people like to use the unifi Wifi APs without buying into any more of their kit, but it is an ecosystem so if you're happy to use some of it I agree for me it makes things cleaner & easier to use all their gear for all of it.  You get some small benefits like seeing power usage and being able to force reboot (PoE power-cycle) the APs all from within the same management UI. (plus easily mapping SSIDs to VLANs, if you get into that)

 

you can install and run the Unifi OS management console on a laptop (see "UniFi Network Application" on https://www.ui.com/download-software/) , but it's best if you run it on an "always on" machine of some sort, a server or such like.

 

What firewall/router are you planning on using? Would you like that integrated into the Unifi management console too?

If so, look at the dream machine

https://eu.store.ui.com/products/unifi-dream-machine

https://eu.store.ui.com/products/udm-pro

 

unfortunately they don't have a PoE switch built in so you'd still need to add that, and of course the wifi APs.

 

Link to comment
Share on other sites

9 minutes ago, joth said:

So there you go.

 

Buy:

1x UDM-SE-EU

2x U6-Lite (or other AP of your choice)

 

 

Job done.

 

"in for a penny, in for a few hundred pounds"

That is a very expensive setup and not one I can afford unfortunately, particularly when an unmanaged solution would probably solve all my problems much much more cheaply, eg.: https://www.broadbandbuyer.com/products/41041-tp-link-tl-sf1009p/

 

I say probably because I haven't really given much thought to the PoE budget yet.

 

At present, i plan on using PoE to power the following:

 

  1. Tado hub (using the this Active PoE Splitter I mentioned previously: https://amzn.eu/d/hpNsulI)
  2. Philips Hue hub (not sure if they do or will do a PoE version, but if not I will use a splitter)
  3. Ring PoE camera
  4. Velux Netatmo hub (not sure if they do or will do a PoE version, but if not I will use a splitter)
  5. First AP
  6. Second AP
  7. Third AP (if necessary - i'm hoping two will suffice, but who knows until it's actually installed)
  8. connection to further switch for non PoE devices 

So 8 PoE sockets should suffice but there is little room for future proofing if I think of something else. Having said that, I'm not planning on laying any more cable so there isn't much more I could install without making the house really ugly with trunking.

 

How did you choose the number of PoE ports? Is it possible to add additional ports by adding switches later down the line (as i'm provisioning with item 8 on my list above? This would be for everything that needs ethernet but no power, so two PCs, two TVs and a printer.

 

Link to comment
Share on other sites

45 minutes ago, Adsibob said:

That is a very expensive setup and not one I can afford unfortunately, particularly when an unmanaged solution would probably solve all my problems much much more cheaply, eg.: https://www.broadbandbuyer.com/products/41041-tp-link-tl-sf1009p/

 

I say probably because I haven't really given much thought to the PoE budget yet.

 

At present, i plan on using PoE to power the following:

 

  1. Tado hub (using the this Active PoE Splitter I mentioned previously: https://amzn.eu/d/hpNsulI)
  2. Philips Hue hub (not sure if they do or will do a PoE version, but if not I will use a splitter)
  3. Ring PoE camera
  4. Velux Netatmo hub (not sure if they do or will do a PoE version, but if not I will use a splitter)
  5. First AP
  6. Second AP
  7. Third AP (if necessary - i'm hoping two will suffice, but who knows until it's actually installed)
  8. connection to further switch for non PoE devices 

So 8 PoE sockets should suffice but there is little room for future proofing if I think of something else. Having said that, I'm not planning on laying any more cable so there isn't much more I could install without making the house really ugly with trunking.

 

How did you choose the number of PoE ports? Is it possible to add additional ports by adding switches later down the line (as i'm provisioning with item 8 on my list above? This would be for everything that needs ethernet but no power, so two PCs, two TVs and a printer.

 

Just buy a poe switch then chain them together if you need more .

 

 

image.jpg

Link to comment
Share on other sites

1 hour ago, Adsibob said:

That is a very expensive setup and not one I can afford unfortunately, particularly when an unmanaged solution would probably solve all my problems much much more cheaply, eg.: https://www.broadbandbuyer.com/products/41041-tp-link-tl-sf1009p/

 

I say probably because I haven't really given much thought to the PoE budget yet.

 

At present, i plan on using PoE to power the following:

 

  1. Tado hub (using the this Active PoE Splitter I mentioned previously: https://amzn.eu/d/hpNsulI)
  2. Philips Hue hub (not sure if they do or will do a PoE version, but if not I will use a splitter)
  3. Ring PoE camera
  4. Velux Netatmo hub (not sure if they do or will do a PoE version, but if not I will use a splitter)
  5. First AP
  6. Second AP
  7. Third AP (if necessary - i'm hoping two will suffice, but who knows until it's actually installed)
  8. connection to further switch for non PoE devices 

So 8 PoE sockets should suffice but there is little room for future proofing if I think of something else. Having said that, I'm not planning on laying any more cable so there isn't much more I could install without making the house really ugly with trunking.

 

How did you choose the number of PoE ports? Is it possible to add additional ports by adding switches later down the line (as i'm provisioning with item 8 on my list above? This would be for everything that needs ethernet but no power, so two PCs, two TVs and a printer.

 

If you really want cheap buy an old Cisco poe switch off eBay ( I have one lying around ) . Works fine - but even by after changing the 7 fans is too noisy . Those net gear ones are fanless 🙄 . You can have my poe switches if you want ( you can pay postage ) - think I’ve got 2 . So they are big and a bit noisy . 

Link to comment
Share on other sites

1 hour ago, Adsibob said:

That is a very expensive setup and not one I can afford unfortunately, particularly when an unmanaged solution would probably solve all my problems much much more cheaply, eg.: https://www.broadbandbuyer.com/products/41041-tp-link-tl-sf1009p/

That doesn't solve all your needs, as you still need a way to run the Unifi OS Console, and (presumably?) you still need a router/firewall/gateway of some sort?

 

Yes you can add more PoE ports at a later day by adding another switch.

 

I don't know I'd both getting a managed unifi switch unless going all in with their ecosystem (so router gateway and OS console)

 

 

Link to comment
Share on other sites

Posted (edited)
3 hours ago, joth said:

That doesn't solve all your needs, as you still need a way to run the Unifi OS Console, and (presumably?) you still need a router/firewall/gateway of some sort?

 

...

 

I don't know I'd both getting a managed unifi switch unless going all in with their ecosystem (so router gateway and OS console)

 

 

Really grateful for everyone's continued help with this, though I'm still confused and I'm not sure if that's because of earlier contradictory responses from others or just my general cluelessness.

 

On 14/02/2022 at 22:47, Nickfromwales said:
On 14/02/2022 at 20:17, Dreadnaught said:

No you don't actually need a cloud key. You can set up the APs using a laptop, or even a smart phone and the app, and then leave them alone to do their thing. A Cloud Key is useful for remote monitoring of network performance, but who does that remotely in a domestic situation (only for professionals handling multiple sites and complicated setups, etc).

Agreed, sorry. The cloud key is for access by 3rd party and my IT guy did indeed set everything up on his laptop. 

 

So are you @joth saying something different to what @Nickfromwales and @Dreadnaught were saying? After seeing the cost of the dream machine, I figured I would set my virgin "superhub" router to have no wifi at all and just act as a wired router and then link that to a switch and then link those switches to the APs and everything else.

 

I haven't bought the Ring PoE camera yet, but have already bought into their doorbell and so thought it made sense to get their camera instead of a Hikvision one, for example, as that way the ring cameras (the doorbell one and the PoE one) would be on the same software. I knew that meant paying Ring a hefty sub each year, but i figured that would be cheaper and more future proof than going down the NVR route. With no requirement for an NVR the dream machine becomes really an unnecessary luxury. But maybe I'm missing something here.

 

Edited by Adsibob
Link to comment
Share on other sites

Don't want to add to your angst but depending on how many ports you need it looks like you might be able to get a single box to do all the switching / managing etc. I think TP-LINK have the OMADA SDN built into their larger switches . EG This one @ £205+VAT- although I may have read that wrong! Seems like a sensible integration anyway.

 

https://www.broadbandbuyer.com/products/40617-tp-link-tl-sg2428p/specifications/#content

 

Link to comment
Share on other sites

1 hour ago, MikeSharp01 said:

Don't want to add to your angst but depending on how many ports you need it looks like you might be able to get a single box to do all the switching / managing etc. I think TP-LINK have the OMADA SDN built into their larger switches . EG This one @ £205+VAT- although I may have read that wrong! Seems like a sensible integration anyway.

 

https://www.broadbandbuyer.com/products/40617-tp-link-tl-sg2428p/specifications/#content

 

Thanks @MikeSharp01. Unfortunately despite being quite geeky some 26 years ago, I'm about 25 years out of date on this stuff and it is all rather beyond me. This does sound like it could solve some problems I didn't know I had until I read people's responses to my various posts on this thread, but it also sounds like it could create some other problems: e.g. if it has two fans and the ability to produce up to 1052.94 BTU/h in heat, I'm guessing it's a little noisy! As this will be sited in a cabinet in the corner of our playroom-by-day-tv-room-by-night I don't want something too noisy. @pocster fan-less setup sounds much more appealing. I think I need to decide to what extent I want/need all the security features and customisations available with a managed switch before taking my research any further forward. I do need to decide in the next two weeks though as Prime day is just around the corner and I'm hoping some of this stuff will go on sale. 

Link to comment
Share on other sites

On 13/02/2022 at 17:21, Nickfromwales said:

@Adsibob

If you want simple and robust, and you don’t want to sacrifice any of the installed CAT6 points, the plug n play ubiquity wall mounted AP’s will create local WAP connectivity AND provide you with a LAN connection with data throughput in one device. 
Some have one port, others are mini routers ( juiced up by you installing a PoE injector upstream ), so mega flexible in one small wall mounted device which gets its power remotely. 
 

FA28678E-1A07-42E5-96CE-B913CFA5D41A.thumb.png.35c37a021b36c57cf053d1d623099a38.png
00E9BE29-EB4D-44CE-AE97-449B2D241AC9.thumb.png.051ba08af151b498c677c3db481cd53e.png
 



 

 

This looks too good to be true. Does it spread the wifi magic in all directions (including behind the wall you install it in) or will it only travel away from the wall?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...