Bitdefender BOX Functionality
Hello,
I’ve been excited to get the Bitdefender BOX to do more on the home network, but I feel I have to shoot myself in the foot and strip down all network settings to even try and incorporate the BOX.
The BOX is a product with a lot of potential, but the over-simplified interface/options has stripped out too many network configurations, logging and filtering functions that are needed.
Here are a few issues, scenarios and fixes:
(Please note, I've had to separate this to separate posts since there is a character limit per post)
1> Bitdefender BOX in-line scanning:
Issue: There needs to be the ability to configure the BOX to be an in-line appliance that can sit between an existing firewall and the rest of the network (EX: internet <—> (modem) <—> firewall <—> BOX <—> network <—> devices). This needs to be done without forcing DHCP changes or disabling any functionality by placing devices into bridged mode. As part of this issue, it must be able to support 802.1q and 802.1ad to scan any/all packets, tagged or not. It should also scan through GRE and L2TP. It should NOT limit scanning to any IP range. Right now, it seems we’re forced to use the one /24 range the BOX’s DHCP delivers. The short version of everything I’m saying here is that the BOX should be able to scan ALL packets passing through it no matter what protocols, subnets, etc. are being used on the network.
Scenario: Any person who has invested in a network that has more functionality/capability than that which the BOX offers should not be required to hinder or completely dismantle their network in an effort to ‘protect it better’. The BOX is EXTREMELY limited in its networking functionality and the horsepower of its hardware (the price point would otherwise suffer). Although, it is a great product for those with little-to-no networking knowledge who want an all-in-one simplified solution, there are a large amount of people out there that have enough know-how to leverage their networking equipment beyond just the basics. There are others who have, or are themselves, the family IT guru to setup/configure their network to be more secure and robust. The BOX should be something that leverages the power of Bitdefender’s security with parental control functions, but that can be a silent partner on an existing network. As part of this scenario, let’s consider a networking setup that has ( internet <—> (modem) <—> firewall <—> switch <—> APs ). This network has existing SSIDs are already configured on a couple of meshed APs for better home coverage. There is also an SSID with an existing Guest network. The Guest network is isolated and VLANed or tunnelled back to the firewall so there is no cross-device communication. Beyond that, on the switch there is a home security/surveillance VLAN that isolates cameras to the NVR. Of course, both VLANs have unique subnets. Another item on the network is a SIP/VoIP connection. Configurations with L2 QoS/CoS and L3 QoS (*cough*) are in place with proper port-forwarding (please keep in mind, these settings are available in many consumer-grade devices such as the Netgear Nighthawk). Now, if someone was looking at purchasing a BOX, the majority of this setup becomes NULL when trying to implement it into the home network. A network teardown is needed and/or some serious re-jigging, nothing will be the same. It will also be restricted and limited to the BOX hardware and config abilities.
Fix: To overcome its initial limitation, there is a need to augment the BOX’s abilities to scan packets without IP, protocol or other restrictions. Then, there should be a way to configure the BOX to be an in-line device that is not disruptive to the existing network setup in any way other than protecting the traffic that flows though it.
Now, there would need to be an option to enable this and to potentially save BOX resources.
First, give the ability to switch the BOX itself to bridge mode. This would leave the BOX able to focus on protection (AV, packet inspection, IDS/IPS, etc.), parental control and nothing else. For novice users, hide this in an advanced tab and give a clear warning of what the implications are.
When in bridged mode, resources would be saved by disabling all functions in the BOX that the primary firewall would already be doing (NAT, routing, firewall, DHCP, VLAN tagging, etc.). It would allow those resources to focus solely on protection (AV, packet inspection, IDS/IPS, etc.) and parental control.
Comments
2> More informative logs/reports and whitelist/blacklist functions (focusing on Parental Control):
Issue: The logs that are provided are sometimes too minimalistic. Then, to take action on those reported incidents, the whitelisting/blacklisting options are also inadequate or non-existent. The logs need to be more detailed as to what sites are being visited, what URLs are offenders, where bandwidth is being consumed and what actions can be taken to open or restrict as needed. To put this a step further, there is no way to manually identify and categorize URLs that are ‘unknown’ to the BOX’s built-in category list for parental controls.
Scenario: There are times where a child has a device that has been assigned to them with parental controls. If there is a violation, the logs only tell you what category has been violated, not the URL. Bitdefender support will tell you to check the URL they’re visiting on the device, but this isn’t always possible. If the child has a mobile device and is using an app that requires internet connection, they may be blocked from areas the app needs to function properly, or vice-versa, the application could be connecting to a URL you would like to restrict. A real scenario involved a child that has a reading application the school board issued for online books. The application was being partially blocked from the internet because it was violating a rule. Since several rules were violated around the same general timeframe, there was no way to figure out which one it was in the log. Through trial-and-error, the category “Entertainment” was found to be blocking the reading app. However, since the logs don’t show a URL, there was no way to whitelist the connected domain for that application to work. Instead, the entire category of “Entertainment” had to be unrestricted. This takes away from the BOX being effective when protecting the child using parental controls. Looking at thing the other way, there are no longs to see what domains have been visited thought the day or a report of bandwidth usage to identify who or what is slowing down your internet. Example; if an older child(ren) have not been violating any parental restrictions put in place, but you can’t figure out who or what is causing a bog in the internet connection, you currently have no way to see what’s going on. You may be unaware that they’ve set up an FTP server, P2P box, Plex or maybe just have a resource-heavy game or application.
Solution: For the first issue, where parental control logs only show the violated category and not the URL, that should be an easy fix. When there is a violation, include the URL in the log. Then the parent can take the appropriate action. For the second issue, where there are no logs on bandwidth usage, a list of accessed URLs or a way to blacklist any of them, this needs more report logging and parsing as well as a new blacklist feature. There should be a way to see what device is using bandwidth, what URLs it’s accessing with the category it’s listed as, and what time(s) of day the usage peaks. If this is something the parent should chose to block, there needs to be a blacklist to add the offending URL to. If it’s something the parent feels should already be filtered as it could be a child visiting an new/unlisted porn site that Bitdefender has yet to see or categorize, the parent should be able to see that it isn’t categorized and should submit a suggested category to Bitdefender for review while then being prompted to blacklist it locally until Bitdefender reviews the submission. In both the blacklist or whilelist scenarios, there should be no limitations on what is added to the list. Example; you should be able to submit wildcard subdomains (*.domain.tld) as well as any path beyond the domain itself (*.domain.tld/site/stuff/etc). For a user-friendly approach, Bitdefender BOX should prompt the user to optionally remove anything else in the URL that may be superfluous (queries, parameters, fragments, etc.).
3> Pause/delay internet/network access to new devices on the network.
Issue: When any device is added to the network, it is immediately granted normal access. However, you may not always want this. There is no way to pause/delay internet/network access until the device is known and/or reviewed.
Scenario: There are many scenarios that could creep up where this function would help. I’ll share a handful of experienced situations. One situation could involve a child trying to bypass the parental control feature with a new device. They could join the device to the network and, if the parent isn’t paying attention or misses the one notification of a new device, it can go on being unrestricted and unnoticed. This can sometimes occur unintentionally with some Apple devices that like to change their MAC address’. Another scenario could be if a user shared the home password instead of the guest password to a friendly neighbour (or acquaintance). Then the password was shared with others in the same neighbouring household (separate house, but within WiFi range). There is no feature to put a pause on this and explicitly ask for individual permission/access when each device joining the network. That scenario can be mirrored if you talk about an individual who may be weak with their WiFi password. A final scenario would be a household that is sublet between owner and renter. The owner of the house may offer their internet connection as an option with a type of honour system. Obviously, there is risk associated with this, but it’s a real-life situation. There is no way to pause/delay new devices until there has been approval.
Solution: Offer an optional function users can enable, AFTER the initial setup, that can pause/delay internet/network access to any new device found until is has been reviewed and approved as a known/accepted device.
4> Configuration backups and restoration.
Issue: If the Bitdefender BOX has been corrupted in any way, there is no way to backup a config and restore from one.
Scenario: A Bitdefender BOX can fail and need to be sent for RMA replacement. The new BOX will need to be set up from scratch again. Another issue I’ve seen, the Bitdefender BOX has been “lost” from the Bitdefender portal (this is a known issue with Bitdefender). The solution: factory reset and start again - all settings lost. A less likely scenario, but still a reality, the BOX can be corrupted via a bug, a bad firmware update, poor/conflicting configuration change, etc.
Solution: Offer users the ability to backup and restore BOX configurations. They should have the choice to backup locally (saved file) or, for consumer convenience, OPTIONALLY backup to the cloud with multiple backup instances (last-known working file date). Then, when going through the setup option, include a ‘restore from backup’ that could pull from either the Bitdefender cloud portal or a local file. Also include a function to restore from backup even if the BOX is already configured and operational. This can be helpful when undoing changes that didn’t work when tinkering.
5> Networking configuration - beyond the basics
Issue: The Bitdefender BOX has no real networking options.
Scenario: There is no specific scenario. Just, the BOX has removed almost all useful configuration settings in place of an over-simplified UI. It’s missing all the options that one would expect with ANY consumer-grade router. Even the basic modem/router provided by a residential ISP has more network configuration options. The BOX should easily match what is already out there, supersede it, then ADD the additional benefits of Bitdefender’s security and parental controls. It’s been requested in several area’s in the Bitdefender forums, and each time the Bitdefender team is asking “why do you want that function?”. These additional options are something that users expect to have. They shouldn’t need to beg and justify why these basic options are being requested. It’s something available with every other router on the market.
Solution: Understanding that this is meant to be deployed with ease, keep the basic setup options as they are. However, add ADVANCED tabs in the different setting regions to give users options to configure anything they’d typically want/need as with any other consumer networking device. This includes setting the device into bridged mode as described in the first point on this list. Refer to any advanced home router for a full list of configurable options that users expect (ASUS, Netgear, Linksys, TP-Link, etc.).