I like to maintain good security practices in my personal as well as my work computing environments. I also enjoy being able to provide myself and the networks I manage with enough security that we are well covered from any reasonable threat, yet not to the point that things become overly complicated to manage or impact the usability of the environment.
I don’t consider myself a security expert. I would not feel comfortable designing a security policy or architecture for a major financial institution doing on line trading and banking. I do feel pretty comfortable with my ability to protect my personal data and networks, and very comfortable that I am part of a team that is focused on increasing security AND usability where I work.
On my personal and work laptops I’ve been running a combination of a popular free software firewall, AVG (free version), and Microsoft Windows Defender. This combination has worked extremely well on my IBM Thinkpad X31, which is not going into it’s fourth year of life with a 1.6 GHz Pentium M and 2 GB of RAM. The combination has provided excellent protection, even though I rarely use my laptops where they aren’t behind some type of hardware firewall already.
On my Intel Core-Duo HP Compaq nc2400
I want my laptop firewalled at work. Knowing I’m not exposing any ports unintentionally is comforting. Knowing someone who happened to get local admin access can’t remotely browse my computer, connect via DameWare, etc, is a good feeling. Knowing that should some new worm come along and start probing the network, I’ll be immune lightens the load.
I discovered that my software firewall was probably the root of these network issues and freezes by trial and error. I don’t really blame the software firewall since it has worked brilliantly on my personal ThinkPad, and I use VPN connections frequently there too… But when I removed the software, a lot of my issues seemed to resolve themselves. No more holding my breath every-time I had to connect via VPN… I have a hunch part of it might lie in the IDS/Application scanning portion of the firewall software. Disabling those features might make a difference.
This is when the Yoggie caught my eye. It is a Linux based hardware firewall on a USB stick, for Windows only. One of the big marketing points for the device is that you offload the security duties to this Linux USB host computer. The only thing is that whatever you gain in getting rid of your software firewall application, you lose because now you have reduced your full duplex gigabit Ethernet connection down to a half duplex 480Mbps through this USB device. In addition the Yoggie must run a network RNDIS driver on your computer to setup a virtual network interface of sorts which becomes your computer’s firewalled address. This driver also diverts the traffic at layer two from the Ethernet or WiFi into the USB device before it reaches the operating system. It is a significant hit in network speed if you are using Gigabit Ethernet now. You’ll notice it if you do large file transfers, video, etc. The Yoggie GUI and driver aren’t exactly lightweights in cpu and memory usage either.
I first installed the Yoggie at home on my ThinkPad. The install went smoothly. I had done a lot of reading ahead of time and knew exactly what to expect. I allowed all traffic on my home firewall to pass to the laptop and the Yoggie logged and filter several port scan attempts. It seemed to work very well and I was quite pleased. Then I tried to check my mail. I use SSL encryption for IMAP and SMTP connections to my ISP. Yoggie wouldn’t let the SMTP traffic out. I disabled SMTP from the application scanning parts of Yoggie and it began working again. Ok, no big deal. Note that I uninstalled my software firewall prior to installing Yoggie.
The next day I installed it on my work laptop. This is where several days, yes days, of frustration and lost productivity began. The first thing that happened was that I could not connect to the Yoggie’s web console. This is the only way to connect with and configure the Yoggie. There is no telnet or ssh. If the web console isn’t working, you are pretty much out of luck. Yoggie has a tray icon that is green if the Yoggie is connected, Blue if the protection is disabled, and Red if the Yoggie is not connected. The Yoggie driver will disable all network connections if it is not connected.
I had a theory that the issue not connecting to the web console might have something to do with a local vlan we have with the exact same subnet the Yoggie was configured for. It shouldn’t have mattered, but trace routes to the Yoggie’s address were going to the default network gateway, not to the Yoggie device.
I unplugged from the Ethernet and rebooted. I was able to connect to the Yoggie this time around, so I changed Yoggie’s address to a very little used and highly unknown reserved IP segment of 1.0.0.0/29 - this is a perfectly valid address in the networking world, just a little unconventional. I immediately lost contact with the Yoggie after setting it’s address to 1.0.0.1.
I installed the beta driver, and the icon turned green again - showing that the driver and the Yoggie were again seeing each other. The Yoggie driver/network interface that it installs on the PC must have an IP address in the same subnet as the Yoggie. It would not configure itself with an address in the 1.0.0.0/29 subnet.
Once I figured out what was happening, I manually assigned a 1.0.0.2 address to the NDIS Network driver/interface. After rebooting I was able gain access to the console on the 1.0.0.1 address and change it back to a more conventional 172.x.x.x network subnet. I changed the NDIS driver/adapter back to DHCP and rebooted. The adapter picked up a new address in the same subnet as the Yoggie and everything *seemed* back to normal.
I tried opening our help desk ticketing system, it wouldn’t open. I tried opening our sharepoint site, it wouldn’t open. Disabling the HTTP scanning in Yoggie fixed those issues.
One of the most annoying things about Yoggie is the interface. Half the time, it comes up “page not found” for as yet unknown reasons. The interface itself is abstracted and obscures the true operation of the device - presumably to make it an ‘easy’ console for non-IT types. It makes it tremendously difficult to troubleshoot. Unlike other firewall configurations, there is no set of access-lists and hard defined configuration to check, dump, save, restore, etc… You have the ability to open ports to individual IP addresses, but not to a range or an entire subnet. You have very little control over anything else. The Yoggie has it’s own internal rules it follows, making ‘adaptive’ changes as it sees fit. The problem is there is no way to tell what these changes are, or how they might affect your legitimate operations. The firewall rules, which include a white list and blacklist in addition to individual ports are particularly confusing on the first time through.
It is very hard to know if the Yoggie is actually working. You can try a test download of the EICAR test antivirus file. Yoggie will pop up a webpage and say it was blocked. This is the only proof you have, unless you want to set up another machine and port scan yourself to see if Yoggie does anything.
I’m hoping that one more reinstall with the standard driver will get Yoggie working the way it is supposed to.
In theory it is a really handy device and lets me lighten the load on my machine considerably. In reality it has been really buggy and non-intuitive to get running past a default install.
Support has been responsive on one occasion. Of couse they are located in the UK and Israel, and Saturday is the sabbath so I don’t expect to hear anything until Monday.
One thing I’ve found very strange is that: A. their drivers are unsigned, and B. their support website has been overrun with pornographic spam in several places! - and it is several weeks old already. This reflects poorly on a security company.
They also make a Gatekeeper pro, which is a USB hub sized firewall that connects via Ethernet like a standard firewall. It gets power from the USB. You can use it with any OS, as Yoggie Pico is limited to Windows because of the RNDIS driver. The drawback is that it only works on your Ethernet connection.
My advice at this point - don’t bother. I’m a geek. I don’t mind playing around with this or that and usually pick up a little knowledge in the process. But as a solution, it just isn’t quite there yet.
I may end up going back to some version of my software security. We’ll see
- LATEST update: Yoggie came through and I got a brand new Pico PRO in the mail today. Downloaded the latest software and it seeems to be working like a charm. Many thanks to Gil and Ilan at Yoggie support.
- Another update. I have been in almost daily contact with Yoggie support. They’ve decided my unit is defective and given me a local address to return it to. Upon receipt, I’ll be sent a working unit. I’ll update on the new device. For now, my free Comodo firewall is providing ample protection and the extra load on my system has not been noticeable.
Update: I did hear back from Yoggie support on the web console issue. They told me I should be using the beta driver and not the standard driver. They suggested I try physically disconnecting and then reconnecting the Yoggie before I reboot the laptop. I tried that and it didn’t work. I’m still having issues accessing that web console. The AV aspects of Yoggie are pretty much disabled because of the issues mentioned previously - so EICAR simply downloads at which point AVG picks it up. I’ve tested Yoggie pretty extensively port scanning it from external machines on the same subnet. It has been a solid performer in that regard. This is kind of cool, especially on a public wi-fi network. I wish that dang web console wasn’t so buggy - I can’t view the logs or make any changes. I also wish there were some alternate interface like telnet or ssh from the client pc. I also wish there were more options for configuration. As far as the file scanning goes, and disabling those features - no external device is going to give you any virus scanning on an ssl connection anyway. The content is encrypted - so you need a software AV software running that is going to scan that sucker after it gets decrypted and before it gets executed in RAM. Oh yeah - I think the driver is signed now; and I contacted Yoggie support about the porn in their comments fields. It seems to be gone 
–Charles Socci
No user commented in " A Review: Yoggie Pico Personal USB Firewall "
Follow-up comment rss or Leave a TrackbackLeave A Reply