BinaryWall-Shield

About BinaryWall

Just another computer professional

Cisco Gray Market Propaganda – FUD

I just came across Cisco’s gray market PDF promotion for Cisco Refresh. This “promotion” is spreading good old fashioned FUD – Fear Uncertainty and Doubt. Louis Rossman who is a champion of the right to repair speaks about this tactic a lot when used by large companies to try and control their product and reduce the repair ability of products such as a used firewall or other product.

In the case of Cisco’s promotional junk they are saying that buying used from resellers on eBay might introduce counterfeit equipment, or pirated software and how these could harm your business, so buy from Cisco new, or use their Refresh service!

What a sad attempt to prevent people from using second hand products. After all they wouldn’t make any money from people using second hand devices.

This is just another argument for why we need right to repair and open source software.

Firewall Vendors build appliances for the dump

Cisco, Juniper, Fortinet, Palo Alto and many others restrict the resell of their products through only authorized resellers, which destroys the secondary used market for such devices.

What’s even worse is in order to get software updates, repairs, replacements, or to register the device you must have purchased the device through the “authorized” resellers. The trick is you can only get the device new from the resellers such as CDW or a major seller, or if you wanted to import a used device you must have the “gray” market device “certified” that it is genuine and meets their quality control requirements. The price to certify a used device is MANY MANY times the price of a new device or what you may have paid for the device on eBay.

Sadly I have experienced this situation many times before. The first time I ran into this trouble was when I purchased a used ASA5506-X router from eBay. Later I bought a Juniper SRX300 and finally I tried getting a Fortinet firewall.

In every instance I pleaded my case to register the device as my own, as I have physical ownership of the device (possession is 9/10th the law?). In every instance the manufacture directed me to their gray market requirements. For example here is Juniper’s gray market requirements.

At the end of the day I couldn’t register the device, so I had no access to software updates, documentation, additional software or any services. I had an outdated used firewall with very little services beyond the ability to do basic routing and rule management. What a disappointment.

How are people expected to learn how to manage a firewall when the manufacture is gatekeeping the resources required to learn? I estimate that buying a Fortinet 40F+licenses and support would cost me maybe around $700+ for one year of support. What would I even use such a firewall for? I need it for a lab, not for my home. The bar for getting qualified with the latest firewalls is high.

Cisco’s prices would be even higher than Juniper with all their Firepower license requirements. I estimate it might cost me $1,000-$1,500 to get the hardware and software necessary to truly master their ASA firewalls.

So what does the life cycle for these products look like? I believe it goes something like this. A business buys the firewall with licenses and support. Once the device is no longer needed they sell them on sites like Amazon or eBay. Without any way to gain access to the support from the manufacture the device might sell, and if it does the buyer will have very limited access. I believe in most cases the appliance is simply thrown away, because who would buy a device without support?

Another quick point I wanted to make is how enterprise Firewalls have gone all in on the subscription service. Everything is a subscription. Take a Cisco ASA for example. They have a license subscription for Botnet support, IPS, Web Control, Smartnet, and Firepower. Each of these have a single year or multi year subscription. When you buy a firewall you pay every year for every piece of the product. Buying the product is just the start of your purchasing fun with whatever vendor you decide to use. Good luck 🙁

At the end of the day I finally decided on which firewall to use for my home, and which one to use for my labs. I’ll use the minimal enterprise firewalls for training in my lab where they will have no access to the world, but for my house I think I found the ultimate firewall – Opnsense!

OpnSense Firewalls

Opnsense is truly a liberating product with all the features I have been seeking. I’ll do a more elaborate post on their firewalls in the near future.

Even an old ASA5505 is better than consumer routers…

The ASA5505

I’ve been using an ASA5506 at home. The ASA5506 is a beast for a home router. I’m using the Security plus edition ASA and the licenses included greatly exceed anything I need.

I also powered up an old ASA5505 to do some DMZ Windows Server 2016 testing, and I’m always surprised at how much I miss using the switchports. I really wish the ASA5506 had switchports 🙁 Oh well. In any case even the base model of the ASA5505 is more than I could ever get out of a consumer grade router. I feel like once you go enterprise you never look back. I couldn’t imagine consumer grade equipment anymore.

From Physical to Virtual

Cisco VIRLUp until now I’ve been learning networking with just my home lab. I have a great home lab that I have invested a decent amount of time and resources into.However, setting up a new topology for different routing and switching exercises can be time consuming.

Just lately I decided to invest in Cisco’s VIRL. Virtual Internet Routing Lab (VIRL) is truly amazing! I can quickly design complex topologies and deploy them with a click of the mouse.

I admit it took a day or so to get it setup and working right, but using it is well worth the effort!

PLUS! I can integrate my existing hardware with the virtual network! That is truly amazing.

So now I don’t need to worry about having wasted precious $$$ on my physical hardware because I can put it to good use!

Although I will need to ditch 3 of my older switches. They served me well, but they cannot be upgraded past IOS 12.2, so they need to find a new home. I have some ideas where they can go!