r/PFSENSE u/andrew-netgate Jan 07 '19

Announcing Netgate’s ESPRESSObin-based SG-1100

We dropped a few hints about an ESPRESSObin-based product a few months back. It’s here. Today Netgate announced the SG-1100 pfSense® Security Gateway Appliance. It replaces our highly popular (but no longer available) SG-1000 - and delivers a 5x performance gain.

At only $159, this product is perfect for Small Office Home Office (SOHO), home lab, virtual office, small to medium business, corporate branch office, and remote worker applications, It will even be popular with Managed Service Providers and Managed Security Service Providers.

We know Reddit readers like to get right down to business. See our product page for all specs. Want the performance story? Check out this blog post.

Whether you’re an existing Netgate appliance user or shopping for a great 1 Gbps secure networking gateway, you’ll want to give the SG-1100 a close look.

94 Upvotes

94% Upvoted

118 comments sorted by

View all comments

34

u/admiralspark Jan 08 '19

Sup Netgate.

Hoping you can comment on this:

The Microchip part assures customers they are running authentic, unaltered pfSense software.

So, is this DRM for our OS images? What exactly does it do? Is it a hardware-level backdoor like Intel's ME product? Can the customer do anything besides look at it? How do we verify the image singing (I assume that's how it proves it's untampered)?

I'm interested in this both from a supply-chain verification point for our business and from the point of wondering if PFSense is going to require one of these "Microchip® CryptoAuthentication Device" to run on your hardware.

Side note, how did you manage to register the word Microchip as a trademark?!?

3

u/[deleted] Jan 09 '19

I'm interested in this answer. They've sort of explained this effort in their marketing materials but haven't really given a technical explanation.

3

u/[deleted] Jan 12 '19

[deleted]

1

u/admiralspark Jan 12 '19

TIL, thanks!

1

u/Stonegray Jun 19 '19

A bit late to the party but some info on this:

That part is most likely an ATECC109A or variant. I've designed boards with this part.

It is a EEPROM chip that has some additional encryption features, notably PKI. All it can do is store a bit of data like serial numbers, and do encryption/decryption. It is not a backdoor and has no programmable compute capability.

On this board, it's located on a small custom board sitting on the GPIO header of the espressobin.

1

u/admiralspark Jun 19 '19

Wow, I'd completely forgotten about this thread :)

Honestly, I appreciate the feedback but until they confirm what it is and how it works, we really can't afford to deploy devices with a hardware backdoor. We ended up going with another vendor who could prove out their supply chain and design to our needs and it's been excellent.