Bitdefender BOX Functionality
I’ve been excited to get the Bitdefender BOX to do more on the home network, but I feel I have to shoot myself in the foot and strip down all network settings to even try and incorporate the BOX.
The BOX is a product with a lot of potential, but the over-simplified interface/options has stripped out too many network configurations, logging and filtering functions that are needed.
Here are a few issues, scenarios and fixes:
(Please note, I've had to separate this to separate posts since there is a character limit per post)
1> Bitdefender BOX in-line scanning:
Issue: There needs to be the ability to configure the BOX to be an in-line appliance that can sit between an existing firewall and the rest of the network (EX: internet <—> (modem) <—> firewall <—> BOX <—> network <—> devices). This needs to be done without forcing DHCP changes or disabling any functionality by placing devices into bridged mode. As part of this issue, it must be able to support 802.1q and 802.1ad to scan any/all packets, tagged or not. It should also scan through GRE and L2TP. It should NOT limit scanning to any IP range. Right now, it seems we’re forced to use the one /24 range the BOX’s DHCP delivers. The short version of everything I’m saying here is that the BOX should be able to scan ALL packets passing through it no matter what protocols, subnets, etc. are being used on the network.
Scenario: Any person who has invested in a network that has more functionality/capability than that which the BOX offers should not be required to hinder or completely dismantle their network in an effort to ‘protect it better’. The BOX is EXTREMELY limited in its networking functionality and the horsepower of its hardware (the price point would otherwise suffer). Although, it is a great product for those with little-to-no networking knowledge who want an all-in-one simplified solution, there are a large amount of people out there that have enough know-how to leverage their networking equipment beyond just the basics. There are others who have, or are themselves, the family IT guru to setup/configure their network to be more secure and robust. The BOX should be something that leverages the power of Bitdefender’s security with parental control functions, but that can be a silent partner on an existing network. As part of this scenario, let’s consider a networking setup that has ( internet <—> (modem) <—> firewall <—> switch <—> APs ). This network has existing SSIDs are already configured on a couple of meshed APs for better home coverage. There is also an SSID with an existing Guest network. The Guest network is isolated and VLANed or tunnelled back to the firewall so there is no cross-device communication. Beyond that, on the switch there is a home security/surveillance VLAN that isolates cameras to the NVR. Of course, both VLANs have unique subnets. Another item on the network is a SIP/VoIP connection. Configurations with L2 QoS/CoS and L3 QoS (*cough*) are in place with proper port-forwarding (please keep in mind, these settings are available in many consumer-grade devices such as the Netgear Nighthawk). Now, if someone was looking at purchasing a BOX, the majority of this setup becomes NULL when trying to implement it into the home network. A network teardown is needed and/or some serious re-jigging, nothing will be the same. It will also be restricted and limited to the BOX hardware and config abilities.
Fix: To overcome its initial limitation, there is a need to augment the BOX’s abilities to scan packets without IP, protocol or other restrictions. Then, there should be a way to configure the BOX to be an in-line device that is not disruptive to the existing network setup in any way other than protecting the traffic that flows though it.
Now, there would need to be an option to enable this and to potentially save BOX resources.
First, give the ability to switch the BOX itself to bridge mode. This would leave the BOX able to focus on protection (AV, packet inspection, IDS/IPS, etc.), parental control and nothing else. For novice users, hide this in an advanced tab and give a clear warning of what the implications are.
When in bridged mode, resources would be saved by disabling all functions in the BOX that the primary firewall would already be doing (NAT, routing, firewall, DHCP, VLAN tagging, etc.). It would allow those resources to focus solely on protection (AV, packet inspection, IDS/IPS, etc.) and parental control.