Slyguy

Level 42
Verified
Hi everyone,

As one of the guys behind the SafeThings product, I was extremely pleased to run into this thread.

I’d love to learn more about your thoughts around our product:
- what would motivate you to buy such a product?
- what is it missing in the product that would turn it into a must-have?

Thanks everyone,
Andrei
Hello Sir,

I have not had the pleasure of trying one personally. Also it is not currently available in the USA so I can't get my hands on one for testing. A few quick questions, and some suggestions based exclusively what I can find on the website;

1) Does this act as a DHCP server as a primary on the network?
2) Can DNS be switched to an INTERNAL DNS server? (it bugs me that Gryphon cannot, I want my Pi-Hole online)
3) Does it send logs, if so, how verbose?
4) Does it send TLD and SNI information on visited websites or is everything local on device?
5) Can telemetry be adjusted/eliminated/reduced? Is the telemetry encrypted?
6) Is there custom blacklisting/whitelisting of sites/domains?
7) Parental controls by age group? Homework time? How deep are the parental controls?
8) Website states it detects incoming traffic to IoT devices and stops them. How does it determine if the remote IP is a qualified source or not?
9) What level of filtration is there for malware? Is it simply malware domains?
10) Does it have RRP that can be disabled? (Manual channel selection)
11) Is low power mode and scheduled WiFi on/off available or coming?
12) Is the device hardened? SSH closed up? Etc?

Another feature, lobbied by ME for Gryphon was inclusion of ad-blocking within the firewall itself. This is an absolutely phenomenal feature. It's aggressive, and it should be, but you can whitelist. This allows me to not feel the forced need to use my Pi-Hole because quite frankly, Gryphon blocks enough ads to where you don't need a browser or DNS adblocker. Any chance Avira will take an aggressive stance against ads and trackers like this? Malvertising is real.

I'd be very curious to try it when it is available and would surely do so!
 

AndreiP

From Avira
Verified
Developer
Hello Sir,

I have not had the pleasure of trying one personally. Also it is not currently available in the USA so I can't get my hands on one for testing. A few quick questions, and some suggestions based exclusively what I can find on the website;

1) Does this act as a DHCP server as a primary on the network?
2) Can DNS be switched to an INTERNAL DNS server? (it bugs me that Gryphon cannot, I want my Pi-Hole online)
3) Does it send logs, if so, how verbose?
4) Does it send TLD and SNI information on visited websites or is everything local on device?
5) Can telemetry be adjusted/eliminated/reduced? Is the telemetry encrypted?
6) Is there custom blacklisting/whitelisting of sites/domains?
7) Parental controls by age group? Homework time? How deep are the parental controls?
8) Website states it detects incoming traffic to IoT devices and stops them. How does it determine if the remote IP is a qualified source or not?
9) What level of filtration is there for malware? Is it simply malware domains?
10) Does it have RRP that can be disabled? (Manual channel selection)
11) Is low power mode and scheduled WiFi on/off available or coming?
12) Is the device hardened? SSH closed up? Etc?

Another feature, lobbied by ME for Gryphon was inclusion of ad-blocking within the firewall itself. This is an absolutely phenomenal feature. It's aggressive, and it should be, but you can whitelist. This allows me to not feel the forced need to use my Pi-Hole because quite frankly, Gryphon blocks enough ads to where you don't need a browser or DNS adblocker. Any chance Avira will take an aggressive stance against ads and trackers like this? Malvertising is real.

I'd be very curious to try it when it is available and would surely do so!
1) Yes
2) Yes
3) It sends aggregated stats from netflow, in order to construct and benchmark behaviour models in the cloud (here we do ML-based anomaly detection)
4) & 5) Yes, as a natural consequence of 3
6) Yes
7) Admin can create roles (users) and attach devices to them. Then rules (content based, time based) can be applied either on roles or per-devices.
8) Our most powerful engine to detect such dodgy connections is the ML anomaly detection (we also employ crowdsourcing looking at the same device behaviour in multiple deployments), but we do employ as well whitelisting and blacklisting (Avira URL Cloud)
9) We analyze behaviour (netflow), and don't do MitM. This is why SafeThings is a fit solution for IoT devices; for files security on traditional devices we include Avira Prime.
10) Will have to check with the tech team and come back to you.
11) Yes, it's on the backlog with a good priority attached to it.
12) Yes, we spent a good amount of time to do proper security and hardening. SSH is locked down.

Thanks a lot for the time and feedback. Great pack. And yes, ads is something we're fighting against, as well as PUA (potentially unwanted apps). This device is good addition to our portfolio in that war.

Thanks,
Andrei
 
Last edited:

AndreiP

From Avira
Verified
Developer
It's good to be able to talk to product folks directly and a great move you did to ask users !

my list ( may provide more points over the coming days )

1) privacy, I want the filter lists to be downloaded locally and applied locally by the UTM, no sending of domain names or their hashes to an Avira endpoint. This will be good for you as well, data fines in the EU are becoming a real thing.

2) if you do provide a web management dashboard, which would be nice, make sure it does it's the UTM that does the connect(...) call and your backend that does the listen(...), I don't want any open ports that are internet facing ( so your backend will be doing pushes ). Do not have any ports open to the internet, preferably no ports open at all and admin is done either via web dashboard and bluetooth only.

2.5) If you do that, do the authentication & certificate work right and ofc only allow strong ciphers in your TLS, a man in the middle attack compromising a UTM would be nothing short of a disaster.

3) email alerts ( for suspicious "dial-outs", portscans comming from the web etc )

4) strong filtering per device that can be used for parental controls, ie while pr0nhub may not have malware, parents should have the option to bank explicit content for underage kids.

5) Do NOT do deep packet inspection, I don't want my UTM doing MiTM to my devices.

6) Auto updates ( again good work with signing the updates, and authenticating your server to the UTM , rolling the certificates etc is very important )

7) support virtual LANs, eg one for guests, one for kids, one for parents

8) support for OpenVPN ( esp if VPN could be assigned per VLAN, that would be great )

9) geo-blocking -- if there are no legal issues with providing this ( there was talk that in the EU geoblocking may become illegal, didn't watch what happened )

10) Mesh support

11) detection of network cards in promiscuous mode

12) WPA3

14) good practices for authentication the administrator to the machine ( not plaintext like the other routers I'll leave unnamed ... ) and also authenticating the machine to the user ( no self signed certs like other routers )

15) 2FA for your web dashboard

16) out of the box ability to block Alexa, Google voice etc per device. These days sadly these come bundled with a lot of 3rd party devices and many users feel strongly about this.

If you do integrate it with local AV, eg the UTM being aware that the connection started from machine XYZ from a process forked of powershell, this would be a heavy plus but maybe too much to ask for version 1 of your product.

Hope it helps and good luck !
Thanks for the great pack of feedback. This is really useful.
 
  • Like
Reactions: notabot

blackice

Level 10
Verified
Last edited:
  • Like
Reactions: notabot

notabot

Level 11
There are some channels used in Europe that aren’t used in the US. Different countries regulate the signals a little differently, but you may be able to get it to work if you really wanted to.
I see so the real issue would be compatibility with the WAN interface - that should be fine as I planned to use the provider's router for routing only and connect Avira's Safethings to it and effectively use Safethings for WiFi only ( plus its security features ).

That way would I be on the clear?
 

blackice

Level 10
Verified
I see so the real issue would be compatibility with the WAN interface - that should be fine as I planned to use the provider's router for routing only and connect Avira's Safethings to it and effectively use Safethings for WiFi only ( plus its security features ).

That way would I be on the clear?
That may work, however you may run into an issue of having a double nat. A lot of people who run routers behind routers run into problems.
 
  • Like
Reactions: notabot

blackice

Level 10
Verified
That depends on the router the provider gives, eg I already do that but with a different UTM device
Gotcha. I’ve never tried to use a WiFi router or AP meant for another country’s approved bands before so I’m not sure if it’s a bit deal or not. If you give it a shot good luck, and let us know how it goes. I really like the secure router idea and run a gryphon at the moment.
 
  • Like
Reactions: notabot

notabot

Level 11
Gotcha. I’ve never tried to use a WiFi router or AP meant for another country’s approved bands before so I’m not sure if it’s a bit deal or not. If you give it a shot good luck, and let us know how it goes. I really like the secure router idea and run a gryphon at the moment.
But ie Avira could geoblock another country, would be good if someone from Avira could comment, if it works, I'm happy to fork the cash to try the device.

Gryphon it's probably the best option at the moment but the priciest too, this is for a holiday place so any UTM is an overkill and I'm happy to settle for second-best.
 
  • Like
Reactions: blackice

Momus

Level 1
You are not missing anything, Sir. I can't find a way to buy it either. Even the German store just presents a nice video :))
 
  • Like
Reactions: notabot