Difference between revisions of "FAQ"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
(DDoS)
(DDoS)
Line 27: Line 27:
 
=== DDoS ===
 
=== DDoS ===
  
Protecting a network from a "real", large scale DDoS (distributed denial-of-service) attack is impossible on premise, even though some may claim it is. It's simply a matter of link/bandwidth saturation (sometimes both inbound and/or outbound). For smaller (DDoS/DoS) attacks, we feature some known-to-work mitigation techniques such as SYN proxies and TCP normalization, connection-limits and traffic shaping.
+
Protecting a network from a "real", large scale DDoS (distributed denial-of-service) attack is impossible on premise[[http://en.wikipedia.org/wiki/DDoS]], even though some may claim it is. It's simply a matter of link/bandwidth saturation (sometimes both inbound and/or outbound). For smaller (DDoS/DoS) attacks, we feature some known-to-work mitigation techniques such as SYN proxies and TCP normalization, connection-limits and traffic shaping.
  
 
To protect a network/service from a DDoS attack, one should:
 
To protect a network/service from a DDoS attack, one should:

Revision as of 12:07, 22 May 2013

Answers to frequently asked questions about our SR (security router) product.

License

You say the product is free, why does it have a serial number?

It doesn't need a serial number. You can use it for free, without a serial number, by simply pressing the Free button on the System > License page. If you don't have access to the web interface, you can run

[email protected]> license -a FREE-FREE-FREE

from the command line. If the system has already downloaded a serial number, you may delete it by removing the file /cfg/serial using the root access.

The system requests a serial number from our server link.halon.se using a simple, unencrypted HTTP query, so that we can identify users that has purchased software updates or support.

Why does the demo shut down every 4 hours?

Unlike other products that needs to be "connected" to the vendor (such as our spam prevention software), it would be awkward if a firewall/router software that has no reason to "call home" would do so. For that reason, and the sake of integrity, the security router software never connects to us (except for downloading software updates, using simple, unencrypted HTTP queries). Consequentially, we have no way of controlling the software once downloaded, making for example a 30 days trial license unsuitable. Shutting down every 4 hours seems to us like a good compromise. It's of course possible to restart it once shut down, as many times as you like.

If you like to verify the stability of software during longer than 4 hours, we hope that you can do so using the Free mode (slightly limited in terms of features). Otherwise, simply e-mail your serial number to us and ask for a "subscription" license. Then enable license subscriptions on the System > License page.

What's included in the licenses?

The software have four license types;

  • Demo is unlimited, but halts every 4 hours
  • Free costs nothing, is quite limited, software updates costs $19 each and supports costs $199/hour
  • Lite costs $99, is not as limited, software updates are free and supports costs $199/hour
  • Paid models such as Basic and Unlimited costs between $499 and $3999, but is less limited, software updates are free, and support is free

In the list above, the word "free" means "complimentary for the duration of 1 year after purchasing". Following that, it continues to be free if you renew your license annually. The renewal costs 25% of the original price (for example $124 for basic).

Technologies

DDoS

Protecting a network from a "real", large scale DDoS (distributed denial-of-service) attack is impossible on premise[[1]], even though some may claim it is. It's simply a matter of link/bandwidth saturation (sometimes both inbound and/or outbound). For smaller (DDoS/DoS) attacks, we feature some known-to-work mitigation techniques such as SYN proxies and TCP normalization, connection-limits and traffic shaping.

To protect a network/service from a DDoS attack, one should:

  • Ask the ISP to prevent traffic down-stream to premise. A DDoS attack needs to be mitigated as closed as possible to the source.
  • Ask the ISP to apply anycast techniques to distribute the affected service to different network geographical locations. This usually improves performance and may mitigate non-global DDoS to a geographical region closest to the attackers. This is very common for DNS and CDN services.