Vektor Security/Privacy device thoughts?

[speedingcheetah]

Looking for thoughts/opinions etc on this device that was recently recommended to me:
Vektor: Secure WiFi Network & Connected Devices
https://www.indiegogo.com/projects/vektor-secure-wifi-network-connected-devices/x/3536506#/

Developed by the Former Head of Facebook’s Security Tools team.
Look quite promising, but, since it has only one eht port, and all network traffic is routed in and out of this device, it will probably cause a bottleneck for those of us that have 1gig WAN connection and maybe also transfer lots of files to and from wired devices, I would think.

It also appears to be CPU based for its tasks, no hardware offloading for routing/switching, I believe.
It has a beefy CPU though, AllWinner H5 (ARM Coretex-A53) 4 core 1.8ghz. with 2 GB ram.

I have to wonder how this device, yes it is geared towards simple home users, plug and play, compares to the big name devices, like Sonicwall etc or things like the Ubuiqiti Security Gateway type setup. But it is most certainly better than the Asus AI Protection features.

 

[AntonK]

Looking for thoughts/opinions etc on this device that was recently recommended to me:
Vektor: Secure WiFi Network & Connected Devices
https://www.indiegogo.com/projects/vektor-secure-wifi-network-connected-devices/x/3536506#/

Developed by the Head of Facebook’s Security Tools team.
Look quite promising, but, since it has only one eht port, and all network traffic is routed in and out of this device, it will cause a bottleneck for those of us that have 1gig WAN connection and maybe also transfer lots of files to and from wired devices.
It also appears to be CPU based for its tasks, no hardware offloading for routing/switching.
It has a beefy CPU though, AllWinner H5 (ARM Coretex-A53) 4 core 1.8ghz. with 2 GB ram.

I have to wonder how this device, yes it is geared towards simple home users, plug and play, compares to the big name devices, like Sonicwall etc or things like the Ubuiqiti Security Gateway type setup.

"Head of Facebook’s Security Tools team." Facebook and privacy, not exactly a comforting thought...

 

[L&LD]

https://www.snbforums.com/threads/ac86u-vs-edgerouter-12-performance.55615/page-3#post-472953

 

[speedingcheetah]

And when I say Vecktor communicates well to questions over FB Messenger (or the Indegogo campaign page), they sure do.
Below is more insight into this product, direct copy and paste responces from Vektor:

About how their Vulnerability scanner and such works:

We apply AI to our firewall bits and not the vulnerability scanner. The scanner (two of them actually) are checking systems on your network to see if they show indicators of compromise or respond with patterns that indicate that the software behind the responding network port has a known vulnerability; we are using a add-on to nmap and nessus variant for the vulnerability scanning. We are also running an intrusion detection system (suricata) that uses a database of rules and attack signatures to notice an incoming attack and trigger an alert. At the moment this is detection and not prevention, but a later update will switch this over to protection mode.

The AI-driven firewall (and yes, I hate the 'AI' term as much as anyone these days) uses several different methods to determine what 'normal' network traffic looks like for devices and then will alert or block traffic that deviates from these patterns. Specifically, we are using K-means and a variant of random forests called an isolation forest as the unsupervised machine learning systems on the device -- this is basically just anomaly detection using input signals like packet timings and sizes, source location (both geographic as well as ASN source for the connection), and other features of a packet connection to decide if something is normal or not.

One of the main drivers for our selection of machine-learning algorithms was to keep the packet data on the Vektor and not push it out to the cloud to perform analysis. We are also exploring differential privacy techniques for cloud analysis, but so far the 'easy' methods available are not much more than gradient descent systems that either require too much supervision in their classification techniques or have a low signal for the sort of data we would be feeding them, so we have not spent much time working on this option in recent months.


About their "subscription" :

The subscription covers software, threat intel, and vpn data updates and is transferable, the subscription is actually tied to the device and not a specific user.


Routing/bottleneck with 1gig WAN and other performance concerns:

you are correct that someone with a huge upstream pipe like you do is going to see throughput capping if you route everything through the Vektor. You could go via the Vektor's wifi to maintain 1G throughput but this is probably not going to be optimal for you. The Vektor lets you add and remove devices from protection (and therefore from routing through the Vektor) via the app, so for people in your situation I would recommend that low-bandwidth IoT devices and devices that do not need maximum bandwidth be protected by the Vektor and that you use the Vektor as a DNS server and as a VPN router for other devices to maximize utility. In the latter two roles it will provide malware/phishing/ad blocking and privacy protection. You might also consider the Vektor for routing devices that are doing gaming or other situations where you need to optimize latency over raw throughput as we include bufferbloat prevention for connections routing through the Vektor.

About making a AIO "normal" router (with switch ports etc):

That would be ideal, but unfortunately the price/performance options at the moment make this difficult. You can use a board that is built around shifting packets as a router, but these lack CPU power for a lot of the security tasks and are also limited in the available RAM that let's you do useful work. To combine a decent board backplane with a few chips to offload network tasks from the CPU but still have a CPU that can perform security tasks would basically push the manufacturing cost for the board up around $150-175 and you still need to wrap it in a case and deal with packaging/shipping/etc. You would end up with something that would probably retail for around $300 I would guess (unless you could move very large volumes like what Ubiquiti and others can aim for.) When presented with the available tradeoffs we opted for a bit more CPU power while still having at least real 1G on the board, but to add a second network interface that could also move at 1G would have required a significant number of additional chips. In the end we had to decide what market segment we were aiming for and fighting Ubiquiti for the people who really knew networking at could built/maintain a semi-pro network seemed like a losing battle...

About CPU used in device:

I didn't realize we did not put the clock speed into our info but the Vektor CPU is running at 1.8GHz. The CPU we use is an AllWinner H5 (ARM Coretex-A53). You are correct that it is possible to create something that fits this need for a good high-speed router that has a software suite of the same level as what the Vektor is offering, but I am not sure there would be much space in the market for it. If you look at the available offerings you see low-end crap that is everywhere, mid-range routers that tend to have decent hardware networking but not great software, pro-sumer stuff like good ASUS or Ubiquiti gear, and then there is a jump to enterprise gear designed for branch offices. To be honest I think the Vektor fits in as being something to be added to a network using low-end or mid-range gear to provide services those systems lack. At the high end you bump up against enterprise purchasing I think; ASUS or Ubiquiti could create a really good router that checks all of your boxes but I am not sure there is enough of an addressable market for them to reach with such a device before the people who are really interested in that level of network control start looking at the enterprise gear. It would be interesting to try, but the market sizing and having a plan to reach those potential customers are where I think you might see problems that prevent something like this existing in the market.

 

[speedingcheetah]

"Head of Facebook’s Security Tools team." Facebook and privacy, not exactly a comforting thought...

https://www.snbforums.com/threads/ac86u-vs-edgerouter-12-performance.55615/page-3#post-472953

Why?
"former head of security for Facebook" does NOT mean "the guy responsible for every aspect of end user privacy within the app". Rather, he was likely in charge of security tools to secure the corporate networks from actual hacking attempts, not so much the app code itself.

I am not the kind of person to believe, without any proof, that all IT security staff at a company that's had its fair share of security problems are worthless pieces of crap. I know enough to know there's a lot of people who try their best to do their jobs, and end up taking the fall that's really no fault of their own when somebody else in the company screws up.

I would actually say that the very fact that this guy left Facebook to start up this company suggests that he was fed up with Facebook's security problems and wanted to do something else where he could feel like he was actually making a positive difference in people's network security.

To say that anything related to network security that a former Facebook employee touches is inherently suspicious is bordering on conspiracy theory.

(Text is from a contact of mine, but I mirror his statements)

 

[L&LD]

Why?
"former head of security for Facebook" does NOT mean "the guy responsible for every aspect of end user privacy within the app". Rather, he was likely in charge of security tools to secure the corporate networks from actual hacking attempts, not so much the app code itself.

I am not the kind of person to believe, without any proof, that all IT security staff at a company that's had its fair share of security problems are worthless pieces of crap. I know enough to know there's a lot of people who try their best to do their jobs, and end up taking the fall that's really no fault of their own when somebody else in the company screws up.

I would actually say that the very fact that this guy left Facebook to start up this company suggests that he was fed up with Facebook's security problems and wanted to do something else where he could feel like he was actually making a positive difference in people's network security.

To say that anything related to network security that a former Facebook employee touches is inherently suspicious is bordering on conspiracy theory.

(Text is from a contact of mine, but I mirror his statements)

You really like to jump to conclusions. Nobody even hinted at anything of the sort that you describe above. Doesn't matter if he was the sole creator of the problems FB has faced or he was just a cog in the wheel of the machine, the fact that issues rose up while he was there is the 'problem' of accepting his previous post as a sign of advantage for the product he's currently peddling now.

And the jumps you're making about this person is also questionable too. Unless you know him personally, your post just sounds like you're desperately trying to convince yourself of what you already seem to believe.

 

[speedingcheetah]

Nobody even hinted at anything of the sort that you describe above

Sure did.

"Head of Facebook’s Security Tools team." Facebook and privacy, not exactly a comforting thought...

Commutative via FB? Scary (to me). A former head of security for FB? Even scarier. To me, this is a flag, not an endorsement.

What I (or U) think about the person who is developing the product, is irrelevant to the product itself.
You 2 users are the ones that immediately, upon seeing the words FaceBook...nee jerk reaction was to ignore everything else about the product, and comment only on the fact that an ex-FaceBook employee is behind it and that "scares you" or is a "fag". And hence, why i responded in kind.

I am wanting feedback and thoughts from users of such security/firewall/privacy appliances in comparisons to this one. There are many well known and used similar products out there.

 

[RMerlin]

I'm not a fan of hardware that's tied to a subscription, and comes from a small unknown startup. If the company disappears, your expensive hardware becomes a paperweight. I consider $390 to be an expensive investment.

 

[L&LD]

Whatever anyone thinks of a person who is developing a product is irrelevant to the product itself.

Their track record, on the other hand, isn't.

 

[speedingcheetah]

I consider $390 to be an expensive investment.

It's $149 for 1x device and a LIFETIME subscription.

When they cross out the $390...that is a marketing thing...it wont cost that much after the Crowd fund stage is over, more around $199, if it even goes up.

It they charged $390 for it, + a monthly sub, that is WAY beyond the cost their target market and user. After all, read their comments, they wanted to make a affordable device, not a AIO powerful Router device etc, then they would have to charge around $400 for it.

 

[RMerlin]

When they cross out the $390...that is a marketing thing...

We'll only know for sure once it gets out of its early adopter period.

 

[AndreiV]

facebook , privacy, security ...... oxymoron

Now tell me you would trust anything spawned by them or ex staff :

https://www.bbc.co.uk/news/technology-47653656

https://www.cbronline.com/news/facebook-passwords-exposed

 

[RMerlin]

Now tell me you would trust anything spawned by them or ex staff :

What if they are EX-staff because they disagreed with their policy?

i.e. you cannot judge someone based on his former employer...

 

[L&LD]

facebook , privacy, security ...... oxymoron

Now tell me you would trust anything spawned by them or ex staff :

https://www.bbc.co.uk/news/technology-47653656

https://www.cbronline.com/news/facebook-passwords-exposed

Commenting on Mr Krebs's story Facebook engineer, Scott Renfro said an internal investigation started after Facebook had uncovered the logs had not revealed any "signs of misuse".

But it added it would enforce a password re-set only if its taskforce looking into the issue uncovered abuse of the login credentials.

This is how flawed their thinking is; after they had 'proof' no misuse had taken place, they started the investigation.

And they won't enforce password resets unless past abuse was uncovered. What about future abuse?

I really don't understand how anyone uses these 'services', I really don't.

 

[L&LD]

What if they are EX-staff because they disagreed with their policy?

i.e. you cannot judge someone based on his former employer...

I can agree with being cautious about judging too quickly.

In this case though, this was the Head of Security at FB. In essence, he was the one that was ultimately responsible and even created the (security) course that others had to follow.

I can't seem to get any 'bio' or name on him? If he was there for a month and quit, RMerlin may be right. I would give him the benefit of the doubt.

If he was there much longer, his chances of being above reproach are slim to none.

 

[speedingcheetah]

Screen cap from the Indiegogo comments page:

 

[speedingcheetah]

Some further details on encrypted/tunneled traffic.

 

[speedingcheetah]

Some further details on encrypted/tunneled traffic.

\They mention not using DPI...some thing that CPU and RAM intensive is it not?
Ubiquiti uses DPI. So I have to wonder if Vektor's method, is more efficient and just as good, or better.

 

[AndreiV]

\They mention not using DPI...some thing that CPU and RAM intensive is it not?
Ubiquiti uses DPI. So I have to wonder if Vektor's method, is more efficient and just as good, or better.

Which all comes back to trust and privacy.

They are using their system to see the sending and receiving servers , domains/certificates , so is that privacy?

 

[speedingcheetah]

their system

So is any router or security device, like Ubquiti DPI, or Fing Network tools app, hell, the basic wifi scan abilities of a smart phone has a system that can "scan" and discover things about your network.

The big thing to this particular device that is unlike most the rest out there, is that data this device comes up with stays local on the device. No data is being sent to some server somewhere. That is indeed privacy. There is no "phone home" or third party data collection, no centralized server.

At least, that is what they (the makers of the device) says, but of course one can be skeptical and test that for themselves with wireshark once they have the device in hand. But how many folks have actually really throughly tested other security devices to see how "Private" they really are?

Or is the fact that any sort of device that is connected to and scanning your network, collecting data, is what you would consider "not private"....well, here is some news for you, all the devices you already have most likely are already doing that, the question then becomes, to what extent and to whom are they sending their data. Are there any security vulnerabilities that are being actively exploited? (smart home devices like Alexa, or cams especially) This device is supposed to detect these things, show what is happening on your network visually and in a easy to understand way and give your control over your devices and how they communicate to the outside world. Also, detect when something abnormal is happening or if new devices try to connect. Seems that a pretty good idea for "privacy" to me.