Regarding tp link SMB or semi managed switches

[System Error Message]

I have a few questions from those that currently use or have used tp link semi managed or business switches.

How reliable are they (in the timespan of a year have you had to reboot them because of a hang?)
how featureful are they and how well do these features work (older netgear prosafe switches that used store and forward method would do poorly when you enable jumbo frames for example)

Im asking because im trying to list decent low cost switches that dont need to be as featureful as mikrotik/ubiquiti yet be cheap and fulfill small business requirements. Netgear and cisco i found for years had hardcoded backdoors in their switches and routers, but you cant install openwrt on a prosafe.

Zyxel is good but very pricey.

 

[coxhaus]

I kind of doubt there are any back doors in the Cisco switches. Could you be more specific about which model switch and what the back door is?

 

[System Error Message]

I kind of doubt there are any back doors in the Cisco switches. Could you be more specific about which model switch and what the back door is?

https://www.tomshardware.com/news/cisco-backdoor-hardcoded-accounts-software,37480.html
anything that runs cisco IOS, that would include their SMB line too as i remember you mentioning that they do run cisco IOS.

The problem isnt isolated to just cisco, even netgear's prosafe line isnt safe either as government mandated backdoors find their way in. Which reminds me that if you arent from a country that has an intelligence cooperation in the US, by procedure or law if the country is keeping up would be illegal to use such devices.

I have spent a lot of time in cybersecurity the past few months so i picked up a lot of the boring black and white policy.

 

[coxhaus]

I have never said Cisco small business line of routers, switches and wireless APs run IOS. They run on Linux if they ran IOS we could not afford them.

That is an old article and I would guess most of that stuff has been fixed. Here is a later refence to some recently discovered hack that was fixed which is much newer than that article. https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20191016-sbss-xss.html

I would say a lot of this stuff is never discovered in consumer gear because it does not have good enough support from the companies. The hacks just exist for the taking but not documented. They are just selling products not software.

If you are in cybersecurity then it seems like to me you would want to run hardware that has security support.

 

[MichaelCG]

His point about the other devices is they may be able to run one of the open source packages. The "general" perk of open source is that anyone can look at the code for back doors. However...it really is a matter of how many eyes have actually looked at the code.

Dealing with Cybersecurity is always a challenge. There is no single right way to do things. Everything brings risk.....everything. It is a matter of finding the balance between compliance, risk, cost, and convenience. There are perks to using the hardware/software from the big boys....but there are drawbacks as well. OpenSource software is awesome in many ways, but quite often pose more compliance and operational challenges. There are some compliance requirements out there that mandate current vendor support.

Compliance does not always equal Secure.
Secure does not always equal Compliant.
A system can be extremely secure, but completely non-compliant.
A system can be 100% compliant, but be an absolute hot mess for security.

 

[coxhaus]

Cisco small business line is based on Linux. Linux is open source and a lot of times when there is a Linux hack it shows up in the Cisco small business line of equipment. But Cisco issues free firmware fixes for hacks.

Cisco IOS is a different story as it is a proprietary operating system. There are still hacks discovered but Cisco fixes them.

And yes maybe more people are working on hacking Cisco than smaller companies. But a lot of those smaller companies don't have the resources to maintain and fix their software. They just want to sell you another piece of hardware. So you pick and choose what is best for you by what you buy.

 

[System Error Message]

I have never said Cisco small business line of routers, switches and wireless APs run IOS. They run on Linux if they ran IOS we could not afford them.

That is an old article and I would guess most of that stuff has been fixed. Here is a later refence to some recently discovered hack that was fixed which is much newer than that article. https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20191016-sbss-xss.html

I would say a lot of this stuff is never discovered in consumer gear because it does not have good enough support from the companies. The hacks just exist for the taking but not documented. They are just selling products not software.

If you are in cybersecurity then it seems like to me you would want to run hardware that has security support.

His point about the other devices is they may be able to run one of the open source packages. The "general" perk of open source is that anyone can look at the code for back doors. However...it really is a matter of how many eyes have actually looked at the code.

Dealing with Cybersecurity is always a challenge. There is no single right way to do things. Everything brings risk.....everything. It is a matter of finding the balance between compliance, risk, cost, and convenience. There are perks to using the hardware/software from the big boys....but there are drawbacks as well. OpenSource software is awesome in many ways, but quite often pose more compliance and operational challenges. There are some compliance requirements out there that mandate current vendor support.

Compliance does not always equal Secure.
Secure does not always equal Compliant.
A system can be extremely secure, but completely non-compliant.
A system can be 100% compliant, but be an absolute hot mess for security.

Recently was found that despite cisco managing to get all the compliance, there were major flaws with their security. However the backdoors are mandatory so if you are in a country under 5 eyes you can use cisco/netgear, but not if you are outside. These backdoors have been mandatory for many many years and to counter variations in hardware, ISPs are required to log you, heck even VPS in datacenters arent safe from this either but thats because its the law in these countries, and you have to deal with these backdoors are access to sensitive data in these countries because it is a requirement.

Im not saying that cisco hardware are bad, they are pretty decent and i've recommended these cisco switches myself, but my case is that i am in a country outside of the 5 eyes zone, and being in cybersecurity recently there are plenty of things to look at, and despite the law not yet arriving here, a proper law or audit would disallow use of hardware or software with government mandated backdoors. Some TPM included too which is why OEM brands that companies love to buy from should literally be illegal outside the 5 eyes or the russia/china/NK block. Theres a reason why russia ditched windows and intel and went with ARM. My point is that im not saying that the cisco and netgear switches you guys recommend are bad, im saying that they are good but can only be used in the 5 eyes zone due to the fact that if any country does its compliance and audit properly, would fail. I dont wait for a country to update its laws and procedure, for instance despite not being required i already am learning on how to write cookie and privacy policies to comply globally despite there not being any need to because some day, its going to be required, whether a visiter/customer comes from US/EU or simply the country updates its laws in the future.

So im asking about tplink switches in terms of their reliability for 24/7 small business use to recommend. In the past tp link indeed did have a backdoor during its early days in its routers (which is why when you install openwrt it disables the WAN port long ago), but this has since changed. I've heard some tp link switches requiring a reboot every 3 months or less and thats not good enough as i would expect at least a years uptime before it hangs. Netgear also has the same problem in that their quality has dropped as well but i last used the netgear modem while i was in the UK, and it would annoyingly require a reboot every 3 months and did not stand to the reliability ISP given hardware but over here most ISP given routers are crap even for wifi and exposed thousands of homes here to shodan a few years back. Some regions here do get decent tplink routers that work well for just wifi and switch.

Except for the Cisco RV, i still consider that heavily outdated as ubiquiti runs the same hardware but offers far far better in hardware and software.

 

[coxhaus]

My experience with TP-Link routers is they are junk because their code is very weak. I bought 1 and ran it for a year. I would never buy another TP-Link anything.

 

[System Error Message]

My experience with TP-Link routers is they are junk because their code is very weak. I bought 1 and ran it for a year. I would never buy another TP-Link anything.

thanks, yes i've been reading user experiences about tplink switches, the problem is most of them related to their entry level line, have you tried their business line?

For other devices they do better. Their wireless NIC does far better than dlink's and works decently.

 

[coxhaus]

I ran the business line router TP-Link offered. It was a rack mount unit that looked like a Cisco 2503.

 

[System Error Message]

I ran the business line router TP-Link offered. It was a rack mount unit that looked like a Cisco 2503.

that makes it bad if that line is unreliable, looks like i'll have to find an alternative, or perhaps stick with mikrotik on a budget.

 

[Trip]

As does everything, this depends on the use-case.

For SOHO? I'm sure TP-Link works well enough. For micro to small businesses, I think there are better options for equivalent or not that much more spend. Zyxel, for one, isn't that much more costly, but has a much more mature product platform and better warranty and replacement - liftetime, NBD. Netgear is OK. I only buy it when in a pinch and have to get something locally that day. I know you personally can't stand D-Link, but I've seen their switching improve to roughly Netgear level. Then you go to the two golden standards in the space: HPE OfficeConnect (ie. 19__ and below) and Cisco SG. Both typically 2x to 5x the cost of TP-Link, but their code bases and the hardware have a much more solid reputation. SG especially is a classic example of "If it ain't broke...".

Then you have your faux-enterprise Mikrotik CRS/CSS and Ubiquiti EdgeSwitch stuff. I might buy CRS for production, but CSS/EdgeSwitch only for a lab, as neither are fully baked enough yet, IMHO.

Depending on how critical the need is, I think refurb or working pull HPE ProCurve/ArubaOS gear is just about the best deal going. The platform has had now decades of development on it, and you can practically toss the hardware into a vat of molten lava and it will keep running. Short of Arista, Catalyst or Allied Telesis, it's the most robust stuff I know of. You can get plenty of HPE Renew 2530/2930F for almost as cheap as Cisco SG these days, and even more ridiculously cheap from places like NetworkTigers and similar. $212 for a 2530-48G?!?! Sold.

 

[System Error Message]

As does everything, this depends on the use-case.

For SOHO? I'm sure TP-Link works well enough. For micro to small businesses, I think there are better options for equivalent or not that much more spend. Zyxel, for one, isn't that much more costly, but has a much more mature product platform and better warranty and replacement - liftetime, NBD. Netgear is OK. I only buy it when in a pinch and have to get something locally that day. I know you personally can't stand D-Link, but I've seen their switching improve to roughly Netgear level. Then you go to the two golden standards in the space: HPE OfficeConnect (ie. 19__ and below) and Cisco SG. Both typically 2x to 5x the cost of TP-Link, but their code bases and the hardware have a much more solid reputation. SG especially is a classic example of "If it ain't broke...".

Then you have your faux-enterprise Mikrotik CRS/CSS and Ubiquiti EdgeSwitch stuff. I might buy CRS for production, but CSS/EdgeSwitch only for a lab, as neither are fully baked enough yet, IMHO.

Depending on how critical the need is, I think refurb or working pull HPE ProCurve/ArubaOS gear is just about the best deal going. The platform has had now decades of development on it, and you can practically toss the hardware into a vat of molten lava and it will keep running. Short of Arista, Catalyst or Allied Telesis, it's the most robust stuff I know of. You can get plenty of HPE Renew 2530/2930F for almost as cheap as Cisco SG these days, and even more ridiculously cheap from places like NetworkTigers and similar. $212 for a 2530-48G?!?! Sold.

the problem here is the lack of talent. Plugging in my USB-C device brought the network down that consisted of dump switches and a prosumer d-link router, but at home i use mikrotik and its totally fine but when i suggest mikrotik the local admin was like nope because he couldnt figure out how to configure it for his game server. Part of the mikrotk community gives bad advice like to use port forwarding for virtual server on mikrotik when there already is a solution for a one to many NAT through relationship in mikrotik since a huge part of mikrotik community is the 3rd world who do not do things properly.

However im trying to design their network so that they have control over it because they have no idea how vulnerable they are. They still havent moved forwards with the nextcloud i installed for them with av and added ransomware safeguards as they got hit before i came. Not that i cant recover a PC from ransomware but for the sake of time, a backup that is protected is faster.

Netgear and cisco cant be used outside the 5 eyes alliance. With huawei its similar as its not confirmed yet that they do not have a backdoor but netgear and cisco are confirmed to have government mandated backdoors so they cannot be used outside the 5 eyes alliance that consists of US, UK, canada (probably) and a few EU countries. Intelligence alliances can be gathered from websites that tell you about public VPNs.

So that leaves zyxel on the easy to use scale. I would suggest mikrotik all around but where i work they do not have the skill and while i do im burried under programming tasks i do not want to do.