RT2600ac Discussion on TP Security Mode (As Opposed tto Network Stability Mode)

[Jan Janowski]

I'm playing around with TP's Security Mode, which is not the default.... Per TP, What IS the Default: 'Network Security Mode': if too many packets arrive, they are passed and not scanned by TP’ .. and That is the Default... To keep connection stable... What is Stable?

Does that not seem like an Advertisement for a simple work around of TP??
“Just throw many packets at it, and some will be not scanned at all”???

But, could this be a feature for 6600, and the 2600 (weaker) gets it by default from latest firmware? Does 2600 have the available power to use this???

So, I go looking for the equivalent of Resource Monitor in the 2600, so I can monitor the CPU and Ram used by 2600 while I browse... Figuring that CPU and Ram useage would increase with more work examining packets.... And with that I could see the Router getting overloaded, and use that as a tool to test the 2600 of being able to use TP’s “Security Mode”.... ??
BUT: Don't find current CPU & RAM useage info in 2600... Does it exist in 2600????

Next... Blindly Turn On "Security Mode" in TP and will see how it reacts.... Inform Wife of a potential change in Web-Surfing, and asked her to inform of any changes..... or slow downs, and I search myself for gaps in operation.... Shields UP at GRC reacts as normal... Other browsing seems normal..... So I post here..... for Direction in this after finding no further in depth information. ???

Does anyone have history with Security Mode in TP, and wish to share? Or any other docs on this that would go into greater detail? I'm running it on a RT2600ac with V1.3.1-1

OH YES! and a location in 2600 where I could see present CPU & Ram Usage? I thought I found it once, but I could be thinking about NAS, and not the Router.....

Thanks for any comments....

 

[Jan Janowski]

Did find active 2600 Router CPU & RAM Usage in DS ROUTER at bottom of router info page.
Tomorrow will switch back and forth to see what changes with the switch.

For now I watched CPU & RAM for about 8 min with “security Mode” on, and CPU Went up and down from 39-54%… and RAM went from 48-54%

 

[Jan Janowski]

This morning did a comparison of CPU & RAM Useage of TP SECURITY MODE, vs: NETWORK STABILITY MODE...

THIS ON RT2600ac with V1.3.1-1 on it... No Guest, No VPN, No VLAN, TP with ~160 User Rules in addition to TP Settings. With 160+ User Rules to TP (Running on an M.2 SSD in a USB3 Enclosure, connected at USB3 Speeds-With documented M.2 Speeds far exceeding SD Card Speeds).... 160 User Rules in TP is probably pushing the TP system....

I had switched to Security Mode yesterday... Checked TP Overview to see if the ramps had increased or decreased... They stayed about the same, with no apparent change...

So, Using BOTH Phone with DS ROUTER to check CPU & RAM USEAGE on RT2600ac.... And then added a PC access to 2600 as well, I did some tests:
Each test took approx 8-10 minutes.... and I documented CPU and RAM Percentage ranges for High's and Low's, and PEAKS, if any existed.... MY FINDINGS:

With SECURITY MODE ON, and connected Phone with DS Router to see CPU & RAM:
CPU 40-59% with a spike of 85
RAM 57-59%

With above, Logged into Router via PC and Phone simultaneously, and connected to TP
CPU 48-60% with a spike to 99
RAM 57-59%

Both PC & Phone connected: Changed TP from SECURITY MODE to NETWORK STABILITY MODE... (This was during the "Starting Service" Prompt in TP):
CPU 80-94%
RAM 66-72%

Both PC & Phone connected: After I saw TP Report: System Well Protected in NETWORK STABILITY MODE:
CPU 48-61%
RAM 65-66%

Both PC & Phone connected: Then, I changed back to SECURITY MODE... (This was during "Starting Service" in Prompt in TP):
CPU 50-62% with a spike to 99
RAM 65-70%

Both PC & Phone connected: Finally I watched it in SECURITY MODE again... (This during TP: "System Well Protected")
CPU 50-61%
RAM 57-68%

Fiinally I disconnected PC from router.... CPU & RAM numbers using Phone & DS ROUTER. only, matched the beginning numbers...

Findings:
1. There is NO Appreciable CPU & RAM difference between SECURITY MODE or DEFAULT: NETWORK STABILITY MODE....
2. With no DS Router or PC Logged in..... There is CPU & RAM Left to do work.... Enough? I don't know....

BUT: I'm Leaving TP in SECURITY MODE.... and Wife & I will see how it works over time....

Open to any comments..... I'm making this up as I go along!

 

[fredbert]

As I read it, the difference between the two modes is what happens when TP is under high load (and by extrapolation the router's CPU/RAM too). Either you want to maintain throughput of traffic or you want to process all connections: basically traffic priority or security priority. And you won't see much, if any, difference between either mode until you are stressing the the router and TP.

 

[Jan Janowski]

Agreed, but nowhere has CPU & RAM tests been posted. Had no idea how much “Head-Room” was still available, and never saw any posts about it. And considering a major upgrade had been done, with memories how 6.2 decreased workload on a 215J, this information was not known, but now is. I did not expect any difference in the two modes, but did not know for sure, so the tests.
I’m continuing on in SECURITY MODE — To ‘see’ what happens.

It still does not make sense to pass packets when there are too many of them….. That sounds like a Security Flaw in itself!

 

[fredbert]

It still does not make sense to pass packets when there are too many of them….. That sounds like a Security Flaw in itself!

That's why when spec'ing a device you choose the model that supports the performance levels you anticipate you will need. Looking at Fortinet you wouldn't use an FG-60F when the performance needs aren't met until using a FG-1100E.

 

[Jan Janowski]

Was this switch in 1.2.5?
I do not recall seeing it in 1.2.5



How would you suggest I try and hit the limits of this? I’d love to see what happens….

 

[Jan Janowski]

Just for Kicks..... Checked... Only running 2 PKG's running on my 2600 TP and SA...

So.... For Kicks, STOPPED SA to see what effect it would have on CPU & RAM...

5 min later, CPU did not decrease with SA stopped... RAM usage fell 2%.... OK... SA is not a 'big' drain... Re-Started SA.

At this point, this was only thing I could halt to see CPU & RAM effects..... anybody know others??

So at this point, if I encounter a bottleneck, I don't have much to halt to alleviate it... Haven’t yet, but now I know what this does!

Testing of SECURITY MODE In TP Continues.... Maybe because I have only 2 packages running, I won't see anything due to fewer resources being used: More ‘Headroom’ in 2600 still available!

Anyone have any other information on this?

My neighbor has a 2600 with 1.2.5-3/4.. He never checks on it, or Updates it. Next time I go there I’ll ask to examine TP to see if switch is there. Last time I checked his SD Card was dead. I gave him another SD Card. He’s the reason I did the M.2 in USBV3 enclosure here!

 

[fredbert]

It wasn’t a feature in SRM 1.2’s TP , so who knows what action it assumed.

 

[Jan Janowski]

Ok, that simplifies calling my neighbor!
Probably something Synology found when they ported over 1.3 to 2600 & 2200, and implemented to hide future problems with users. (Wild Assed Guess).
Not at all out of line, but strengthens my supposition that my using just a few packages allows me to ‘get away’ with SECURITY MODE.
Hey! Time will tell!
BUT: This is certainly ‘Take 2’ of V6.2 on 215J……. But with the 2600 Router. Actually makes sense, though, seeing that 1900 never made it to V1.3.

 

[fredbert]

Get away with and probably not being hammered from the Internet from lots of sources. Your Internet connection will also determine the loading: higher access connection allows for more new sessions attempts.

 

[Jan Janowski]

No problems so far! Wife is alerted(And would be first to detect anyway)

But what’s the difference between what you just posted….

And the Default setting: That allows packets to pass without examination — just because there are many packets?

A lot, I aspect.

This does not make sense to allow that default setting to happen. It’s counter productive to what TP is supposed to do in the first place, right???

I don’t know what the non default TP setting will look like when it is exceeded, but it won’t pass untested packets.

 

[fredbert]

A session contains one or more packets. Most processing will happen on a session’s initial packets. Either Synology meant sessions (drop new when unable to process) or packets of new and existing sessions (dropping new sessions, and disrupting or dropping existing sessions).

You will only see this feature working when the router is under load with corresponding high traffic. I don’t remember Synology’s data sheet providing the same level of information as vendors that sell to business, e.g. Fortinet , Palo Alto, Check Point. Have a look at those and they include performance info when different features are use: just firewall; with IDS/IPS; full features.

 

[Jan Janowski]

Took a few days before I looked at 2600 Router when a daily TP Update was needed... But not updated yet.
So with 1.3.1-1, and M.2 SSD in USBV3 enclosure, at USB3 speeds, formatted as EXT4: The nightly TP Update + Reload of ~160 Extra User Rules...... took 4:20

 

[Jan Janowski]

So, Why all this futzing around? My Theory:

IF I don't want TP to pass Un-Processed Packets when TP gets "backed up".....
The Faster I can Process TP Events (With TP rules of all types being placed on an external device, be it SD Card or USB2/3)
The Faster TP can move onto the NEXT EVENT...
IF:
Multiple Events occur simultaneously.... THEN CPU & RAM usage goes up... As they Wait for processing... This can exceed CPU/RAM capability, and the software passes packet on without processing..... (According to switch text in Settngs) -- To Protect itself from Crashing? (Guessing, I have no idea)
The Faster the Event's are processed, the FASTER CPU & RAM will be 'freed up' Because that Event has been processed... and go onto the Next Event.

SO: Make TP Rule Access ABSOLUTELY AS FAST AS POSSIBLE..... ESPECIALLY SO now that TP software is warning us that the capability exists for it to become overloaded....... (This would seem to be true no matter which Setting is selected: SECURITY MODE or NETWORK STABILITY MODE)

That's my logic !

 

[fredbert]

Not sure what’s your point. This is consumer level device. The majority of users want the Internet to be accessible, which is why the TP default is to pass on when the device cannot reasonably process connections when under high loading.

The first beta iteration of TP was a lot slower. The was when most home users had at most a few hundred mbps Internet connections and there was reported issues keeping up. When TP was released it was significantly faster but now gigabit Internet is widely available, and multi-gigabit will be the concern. With the older RT2600ac that may become a problem, not that I’ll notice on 380/36 mbps.

To be faster it would require the TP data to be held in RAM, but this is a consumer series. If I look at Fortinet the the lowest data sheet device that does 1Gbps threat protection (their bundle of features) is the Fortigate 100F, but I’d at least go for the 200F. Doing an online search finds the price for the device and three years of support and threat protection licences to be $14,500, exc. sales taxes. It’s not a fair comparison but my view is that SRM and TP does pretty well for the price.

 

[Jan Janowski]

I think I spoke my point a few times now:
Improving speed of TP So I can scan every packet, make the router last longer,
And, therefore, get the best bang for my bucks!
That is all!

 

[jeyare]

@fredbert is right. This router is defined as consumer level.
Syno is unclear as well and their experiments with Suricata are for me “do not touch” field.
In last SRM ThreatPrevention 1.3.1-0905 requires SRM 1.3.1 or above.
It means Syno uses 1.5y old Suricata engine (6.0.3)!
SSHM

suricata-update check-versions

 

[fredbert]

I think I spoke my point a few times now:
Improving speed of TP So I can scan every packet, make the router last longer,
And, therefore, get the best bang for my bucks!
That is all!

You’ve done the best you can by using an external USB 3 SSD drive rather than HHD based (TP mandates use of an external storage device). Other than that you would have to upgrade the hardware… RT6600ax.

Other things to do to improve performance is to optimise firewall rules and minimise logging. In fact everything you enable and add extra rules/features to will lower overall performance. Back in the day the peak performance of devices would be tested with UDP, one firewall rule (any/any/allow), no logging, and two interfaces. Now it’s better and tries to have more real world scenarios. But the only real way to know how you device performs is to monitor it and upgrade if it cannot keep up when using the configuration you need.

Not sure it’s possible but if you can then only logging via syslog to the NAS should be slightly better than locally. But you have local SSD so that’s marginal, if even measurable, and is what business appliances do if you really need local logging/log recovery.

 

[Jan Janowski]

Let me add a step then. This SSD on USBV3……..

For SSD’s health, Do I, Should I, need to run an occasional TRIM on it?
Or just let it be?

I’m comfortable with firewall rules. Set in 3 groups: the Allows; the Test’s; and the Deny’s. Followed by Deny ALL.

As long as the router is viable, it will be used. I realize what it costs. It is in my best interest to tweak it as best as I can now. So that when or if it is deemed to be obsolete I will know up front it is already working at 105% or more.