SonicWALL glitch leaves networks unprotected

December 3rd, 2008 by Chris Buechler

A licensing server glitch caused thousands of SonicWALL firewalls to become unauthorized and disabled all protection.

It is being reported that firewall services have stopped and that spam, viruses, and other bad things are flowing in without a hitch.” – SANS ISC

It appears everything stopped functioning – firewalling, VPN, you name it. Obviously not such a good idea to have your network protected by DRM that can so easily go haywire and disable all protection!

SonicWALL outage frustrates customers who felt exposed

Frustrates?  I’d use far stronger words if I were a customer.

14 Responses to “SonicWALL glitch leaves networks unprotected”

  1. Ken Says:

    I’ll never consider sonicwall anymore. orz

  2. Scott S Says:

    I just replaced my last Sonicwall with pfSense. I had an issue once before where I could not upgrade a Sonicwall for a customer for over 4 days because their licensing servers were down. Left me with a very sour taste.

  3. Manuel Says:

    That’s gross. In no way a developer can’t think about something like this at some design phase.
    Of course, assuming there was one in first place.

  4. Chris Buechler Says:

    It’s astounding to me that companies still feel DRM/activation/licensing schemes like these are a good idea. I’m not anti-commercial software by any means, but schemes like this are absurd. If someone wants to pirate something this isn’t going to keep them from doing so, and they just royally screwed a huge number of their customers, potentially all of them.

    Then it’s one thing to screw up something, but this magnitude of a screw up shows they indeed didn’t put much if any thought into the process and what bad things could happen.

    Makes me wonder how much checking they do of licensing server responses. Could someone hijack sonicwall.com and deactivate every firewall with a rogue licensing server? Or DNS poison to point to a rogue licensing server on a more limited basis? Either are very possible if there isn’t some sort of strong authentication used, such as verification of a server certificate amongst other possibilities.

    We hear all the time about people dumping their Sonicwall gear for pfSense, usually because the Sonicwall didn’t work right, performed terribly, was completely unstable, or a combination of the three and the situation couldn’t be resolved by Sonicwall support even after replacing the hardware. Sounds like we’ll now start seeing them coming for a solution that cannot possibly be deactivated by some licensing server (or any other server, for that matter).

  5. Darth Joe Says:

    THANK YOU SonicWALL!

    This is by far the best advertisment for pfsense in a long time :-D

  6. Aaron C. de Bruyn Says:

    Chris,

    It absolutely will keep them from pirating it…
    The Sonicwall DRM is such a pain in the rear, it prevents you from using it legitimately most times, let alone a pirated version.

    Hell–you can’t even install firmware downloaded for one customers TZ180 to another customers TZ180–you have to download signed firmware specific to the customer. Oh–and if your subscription has expired, forget about upgrading the firmware or getting bugs fixed.

    The only reason I can figure people use Sonicwall is because someone higher up is getting a kick-back. The prices are artificially inflated for everything. What’s the difference to your Sonicwall is you have 1 VPN user or 100? Nothing–except a few bits you have to pay for the privilege of flipping.

    A company I once worked for was a Sonicwall reseller. We sold them no matter what the customer wanted–and when the device failed to perform, we just took their project in another direction. Lame.

    And the hardest part was me, sitting at home with my pfSense box, and another technician from my company with his pfSense box. We relentlessly duplicated the conditions we faced out a client sites and tested pfSense. It hasn’t failed us yet.

    I’m seriously thinking about starting a page on my site describing all the crap that Sonicwall can’t do that pfSense can…it would be very enlightening.

  7. Chris Buechler Says:

    “It absolutely will keep them from pirating it…” haha maybe, in this case. :) It seems their stuff is so screwed up it’s prevented their paying customers from using it, even long before this incident.

    It tends to be the case that the piracy protection companies put in software gets bypassed anyway and the only effect is it annoys your customers. I guess in this case maybe it’s so strict that it does prevent piracy, but also creates huge problems and gaping holes in their customers networks.

  8. Chris Buechler Says:

    Oh, and Aaron: I’d love to see a list of the stuff that doesn’t work with Sonicwall that does work with pfSense. That would be very interesting.

  9. Darkk Says:

    Nothing is ever going to be perfect. SonicWALL thought DRM was their answer to anti-piracy issues which in effect is. However, it basically puts their legit customers at risk of their firewalls failing due to licensing issues. I think what SonicWALL needs to do is provide a failover site in case something like this happens again.

    There is no such thing as 100% failproof. It doesn’t happen but they could have taken steps to reduce the risk.

    We are about to put SonicWALL NSA 3500 into production and this didn’t give me a nice warm fuzzing feeling. However, since we have other security products in place it’s not really an issue long as the “firewall functions” continue to work. Only thing that would be a problem if the VPN to our remote offices goes down because of this then it would tick everybody off and more work for IT.

    I am anxious to getting PFSense 2.0 in production because we use the Microsoft VPN and current version of 1.2.1 and earlier only supports one connection at a time to the same IP address so can’t use it yet.

    When we do get PFSense into production I will make a recommendation that we also purchase the commerical support. Hopefully we won’t need it but it’s our insurance policy.

  10. Slick Says:

    Why would you want to pirate it. As this post indicates it obviously has issues anyways :)

  11. Chris Buechler Says:

    The problem wasn’t that the licensing servers were inaccessible, a secondary site wouldn’t have done anything. Somebody screwed up something on their servers that caused them to actively invalidate people’s licenses. This wasn’t “oops, servers went down”, it was a much bigger oops than that. They could have had a server in every datacenter in the world and it wouldn’t have mattered, as accessibility wasn’t the problem. It seemed even firewall and VPN functions shut down.

    Nothing is 100% fool proof? Of course not – and making licensing a huge potential point of failure in the security infrastructure of your network is completely insane. Why add points of failure when the solitary purpose of that huge point of failure is the company you’re paying all kinds of money doesn’t trust you? It’s absurd.

    If I were about to deploy a Sonicwall anything I would send it back. I’m not going to tell you there is one firewall solution that’s a perfect fit for every environment – there isn’t. Anyone who says so is lying or stupid. I don’t use pfSense everywhere, I manage numerous Cisco devices as well as many other vendors, but I wouldn’t consider a Sonicwall anymore. (not that I’ve ever actually bought one or recommended buying one, I’ve managed a few)

  12. Aaron C. de Bruyn Says:

    Chris,

    I was working on compiling my list when I had a deliciously vindictive idea…

    I’m sure other people have horror stories about Sonicwall–so I did a quick whois….

    http://hatesonicwall.com

    I already posted one of my horror stories. I’ll post the rest over the next few days. If you or anyone else has a good horror story, feel free to post something.

    I’d also love to hear success stories of pfSense.

  13. David Says:

    SonicWall was never my preferred installation. I don’t know why but if I needed to install a commercial FW/UTM my first choice was Fortigate.

    The second thing is that sonicwall is not so common in Israel……

  14. Izinyoka Says:

    Yeah thats Sonicwall!
    There was a similar thing a few months ago where a typo in a URL meant that AV was not updating…

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply