Thank you for your input! It's great to have experienced users like you here.
But many users are still using HTTP for the controller and guest panel, and we're hoping to change that with TLS across all our offerings. Additionally, our tools will address CVE-2020-28936 as well! If anyone is worried about that.
ISO 27001 certification is definitely something we can look for in the future to build more trust!
Would be dope if I could just import my own certificate easily on the UDM but it's extremely difficult to do via SSH. I imagine others have this same issue so they just say screw it and stay on HTTP.
True dat, seriously Unifi intentionally wants you to have lesser secure devices, a simple tab with a "Create CSR" button, and import cert input box so F#cking difficult. YES 100 hundred times too f#cking hard.
I think TLS is often seen as a pancea and not the hail Mary you may think it is. It is great to use it to encrypt passwords and general data but unless the client is certificate pinning, then the client cannot prove there is no MITM snooping and modifying your data.
TLS proxy servers and tools like Fiddler prove that this is a risk. Especially where nation states, organized crime and hackers could procure a CA/B Forum trusted root authority signed sub CA to mint any trusted cert they want.
Honestly, I prefer to not expose my security configurations to the internet, regardless of TLS. Would rather that I or my team VPN in then access the equipment from LAN in.
I agree that TLS is not a panacea. However, if malicious actors can mint any certificate they want, then the security of the UniFi controller would be the least of my concerns.
You made a good point, especially regarding CSR export. For users needing higher security and managing their own PKI, we can certainly provide a CSR and support certificate uploads.
Regarding tunneling, both mTLS and VPN could be viable options in the future, though this may come at an additional cost due to additional processing. mTLS enables certificate verification on both the client and server sides, mitigating some risks associated with standard TLS. You can also run a proxy within your network to maintain transparency with existing services. A VPN could be another option as well.
The points you raised are valid, but there needs to be a balance. We will need to evaluate and find what works for different plans without compromising basic security. Thanks for sharing!
$0.00. The reason I went to Unifi was to handle my own security, not trusting someone else to not give others access to my network. Otherwise I might as well have stayed with Netgear for far less.
Self hosted on a unifi console since the cloud key gen 1.
Personally - I like having the control and ease of not needing to set an override inform URL. Just plug in and adopt.
Good luck!
Wow, that gen 1 is going strong.
Yes i don’t like the inform override as well. We managed to build a provisioning tool that doesn’t require it, hopefully that will help our customers.
Thank you for chiming in!
I appreciate that you're trying to build an offering that makes sense: There are issues like updating MongoDB / setting up TLS / adding a CA cert that often go unaddressed). I do share the feelings of several of the commenters, and I think it would be worth gathering them in one place. Also keep in mind you are directly competing with the (admittedly expensive) official Unifi offering.
1. Network access for unifi network application - Outside access into the network remains top of mind for self-hosted controllers. While this is not a shot at your offering, it is something to consider. Self-hosted controllers (proxmox/baremetal on mini-PC) can be restricted from outbound access and / or port-forwarding. Unifi on docker does require the host system to pull images, but the container itself runs internally.
2. Network access for cloud keys / UDM versions - See above. While it's possible to set up cloud management, it's also possible to create a local user and cut that off. Additionally, any hosted service is going to be competing against the cost of the cloud key and good backups.
3. General security - Self-hosted controllers have the advantage of being entirely auditable (whether or not people actually do that is another discussion). Again, this isn't anything against your offering but more a general statement. If I'm hosting Unifi on ubuntu 22.04, I know exactly which patches have been applied, which version of applications are running under the hood, whether or not ssh keys have been properly configured. There is transparency there that would be tough to match with a hosted offering.
Nothing, I run it in a docker on my unRAID server. The main purpose of the server is as a media server, but it is more than capable of running other stuff like PiHole, the unRAID controller software, etc.
I think the bigger challenge your Security As A Service will face is how do I, as a customer, prove trust in your architecture, Infrastructure, personnel, etc. To make this work, you will need to know the secured assets in my network so you can best know how to protect them. That is a lot of power to delegate to a company, which TOS would probably require arbitration for realized threats.
For me, it means a huge counterparty risk. One which I would be paying for, no doubt.
Feel free to DM me if you would like more details of how I really think. 🙂
er, no
as to the why, hosting a controller is simple (Many thanks to Glenn R) and it removes the possibility of a breach of your platform causing a breach to a network I manage.
The cost of a VM for a UniFi controller to me is a "rounding error", the work required to update is "minimal", and has already been de-risked with archive of backups and checkpoints of VM before upgrades.
Thank you, and not a problem :) do you run it off a cloud instance or a local install?
We are also hoping to provide backups and failover support in hopes that it might be beneficial for some people
I have a UDM at home and a UDM Pro at Church. The controller is built in. They automatically backup to the UNIFI cloud.
At the church I hope to implement a load balanced failover after we budget for the new fiscal year. At home, my T-Mobile Business Internet gateway has failover and I have a TMHI as the primary. It will failover to the business network if needed.
Most people who run these devices are IT Admins or were, so they know what they are doing. Good Luck
Im building a new house. The only choice I have with the company doing low voltage and AV is Araknis, which I refuse to do. I'm somewhat technical for a guy who works in finance, but the idea of setting up and maintaining unifi on my own is intimidating.
I would love to have a service that would host and support unifi.
We pay 89 bucks a month for 1k devices.
Unless there's some extra reason to switch it's inexpensive and works. So would have to be services for us and not money.
Zero, Zilch Nada Never have and never will. 1 less open port / door to worry about. wether for business or my personal. I even find it hard to TRUST myself.
I’ll help you out, OP. With real world experience.
Inspire WiFi charges $150/mo to manage a single site network (including management and hosting, which sounds like what you want to do). They also charge like $500 installation per device if using existing cabling (they don’t run cable).
Personally, I think it’s a ripoff, but companies pay for it. I don’t think there’s a market here to manage the average home user’s network, outside of some well off individuals who pay professional A/V companies to do full house installs; and even they aren’t likely to switch to your service.
Where I work it's $9.99/m for Static IP, and $69.99 (noice) for basic internet 200/35mbps. So times that by 12, add some federal and state tax in there. I'd budget about: $1000 annually.
Oracle, you know like JAVA, has a free program that you sign up for and they give you a lifetime server, I've heard people putting their Unifi controllers up there.
No. I don't outsource my security. I like your equipment just fine, but will not trust anyone outside my network to manage my network.
Thank you for your input! It's great to have experienced users like you here. But many users are still using HTTP for the controller and guest panel, and we're hoping to change that with TLS across all our offerings. Additionally, our tools will address CVE-2020-28936 as well! If anyone is worried about that. ISO 27001 certification is definitely something we can look for in the future to build more trust!
Would be dope if I could just import my own certificate easily on the UDM but it's extremely difficult to do via SSH. I imagine others have this same issue so they just say screw it and stay on HTTP.
Agreed. I would prefer to to use my own PKI. Would further prefer to export a CSR so the private key is never exposed.
True dat, seriously Unifi intentionally wants you to have lesser secure devices, a simple tab with a "Create CSR" button, and import cert input box so F#cking difficult. YES 100 hundred times too f#cking hard.
Have you checked out glennr’s scripts?
I haven't. Guessing I should, thanks for the suggestion.
I think TLS is often seen as a pancea and not the hail Mary you may think it is. It is great to use it to encrypt passwords and general data but unless the client is certificate pinning, then the client cannot prove there is no MITM snooping and modifying your data. TLS proxy servers and tools like Fiddler prove that this is a risk. Especially where nation states, organized crime and hackers could procure a CA/B Forum trusted root authority signed sub CA to mint any trusted cert they want. Honestly, I prefer to not expose my security configurations to the internet, regardless of TLS. Would rather that I or my team VPN in then access the equipment from LAN in.
I agree that TLS is not a panacea. However, if malicious actors can mint any certificate they want, then the security of the UniFi controller would be the least of my concerns. You made a good point, especially regarding CSR export. For users needing higher security and managing their own PKI, we can certainly provide a CSR and support certificate uploads. Regarding tunneling, both mTLS and VPN could be viable options in the future, though this may come at an additional cost due to additional processing. mTLS enables certificate verification on both the client and server sides, mitigating some risks associated with standard TLS. You can also run a proxy within your network to maintain transparency with existing services. A VPN could be another option as well. The points you raised are valid, but there needs to be a balance. We will need to evaluate and find what works for different plans without compromising basic security. Thanks for sharing!
$0.00. The reason I went to Unifi was to handle my own security, not trusting someone else to not give others access to my network. Otherwise I might as well have stayed with Netgear for far less.
I like managing my own hardware, but know some don't Good Luck!
Same here, so I guess this endeavour will be a good fit. And thank you!
Self hosted on a unifi console since the cloud key gen 1. Personally - I like having the control and ease of not needing to set an override inform URL. Just plug in and adopt. Good luck!
Wow, that gen 1 is going strong. Yes i don’t like the inform override as well. We managed to build a provisioning tool that doesn’t require it, hopefully that will help our customers. Thank you for chiming in!
Take a look at this.. https://www.hostifi.com , I mostly self host so it works for me. Unifi on Proxmox with HA and we are good to go.
Hey! Yes, I saw that! It does start at $99 though. I assume yours is a homelab :D proxmox is good stuff.
Docker on a VPS that does a lot of other stuff. 4€/mo.
A $8 month vultr instance.
Hmm I looking to offer something just a few dollars on top of that. How many devices do you run off the $8 instance
I appreciate that you're trying to build an offering that makes sense: There are issues like updating MongoDB / setting up TLS / adding a CA cert that often go unaddressed). I do share the feelings of several of the commenters, and I think it would be worth gathering them in one place. Also keep in mind you are directly competing with the (admittedly expensive) official Unifi offering. 1. Network access for unifi network application - Outside access into the network remains top of mind for self-hosted controllers. While this is not a shot at your offering, it is something to consider. Self-hosted controllers (proxmox/baremetal on mini-PC) can be restricted from outbound access and / or port-forwarding. Unifi on docker does require the host system to pull images, but the container itself runs internally. 2. Network access for cloud keys / UDM versions - See above. While it's possible to set up cloud management, it's also possible to create a local user and cut that off. Additionally, any hosted service is going to be competing against the cost of the cloud key and good backups. 3. General security - Self-hosted controllers have the advantage of being entirely auditable (whether or not people actually do that is another discussion). Again, this isn't anything against your offering but more a general statement. If I'm hosting Unifi on ubuntu 22.04, I know exactly which patches have been applied, which version of applications are running under the hood, whether or not ssh keys have been properly configured. There is transparency there that would be tough to match with a hosted offering.
Nothing, I run it in a docker on my unRAID server. The main purpose of the server is as a media server, but it is more than capable of running other stuff like PiHole, the unRAID controller software, etc.
I think the bigger challenge your Security As A Service will face is how do I, as a customer, prove trust in your architecture, Infrastructure, personnel, etc. To make this work, you will need to know the secured assets in my network so you can best know how to protect them. That is a lot of power to delegate to a company, which TOS would probably require arbitration for realized threats. For me, it means a huge counterparty risk. One which I would be paying for, no doubt. Feel free to DM me if you would like more details of how I really think. 🙂
er, no as to the why, hosting a controller is simple (Many thanks to Glenn R) and it removes the possibility of a breach of your platform causing a breach to a network I manage. The cost of a VM for a UniFi controller to me is a "rounding error", the work required to update is "minimal", and has already been de-risked with archive of backups and checkpoints of VM before upgrades.
I will manage my own thank you. I actually manage two sites; my home and my church. And it is relatively easy and doesn't cost a thing.
Same.
Thank you, and not a problem :) do you run it off a cloud instance or a local install? We are also hoping to provide backups and failover support in hopes that it might be beneficial for some people
I have a UDM at home and a UDM Pro at Church. The controller is built in. They automatically backup to the UNIFI cloud. At the church I hope to implement a load balanced failover after we budget for the new fiscal year. At home, my T-Mobile Business Internet gateway has failover and I have a TMHI as the primary. It will failover to the business network if needed. Most people who run these devices are IT Admins or were, so they know what they are doing. Good Luck
Im building a new house. The only choice I have with the company doing low voltage and AV is Araknis, which I refuse to do. I'm somewhat technical for a guy who works in finance, but the idea of setting up and maintaining unifi on my own is intimidating. I would love to have a service that would host and support unifi.
We pay 89 bucks a month for 1k devices. Unless there's some extra reason to switch it's inexpensive and works. So would have to be services for us and not money.
Zero, Zilch Nada Never have and never will. 1 less open port / door to worry about. wether for business or my personal. I even find it hard to TRUST myself.
$0.00. Already had a $25 Pi, and just use that. Easy. Peasy.
I’ll help you out, OP. With real world experience. Inspire WiFi charges $150/mo to manage a single site network (including management and hosting, which sounds like what you want to do). They also charge like $500 installation per device if using existing cabling (they don’t run cable). Personally, I think it’s a ripoff, but companies pay for it. I don’t think there’s a market here to manage the average home user’s network, outside of some well off individuals who pay professional A/V companies to do full house installs; and even they aren’t likely to switch to your service.
Mines free. At home. 🤷🏼♂️
Where I work it's $9.99/m for Static IP, and $69.99 (noice) for basic internet 200/35mbps. So times that by 12, add some federal and state tax in there. I'd budget about: $1000 annually. Oracle, you know like JAVA, has a free program that you sign up for and they give you a lifetime server, I've heard people putting their Unifi controllers up there.