Updated License Agreement concerns
SonicWall sent an email notifying about updated license agreement. No indication what was actually changed, but I found this:
"(f) In the event SonicWall identifies one or more critical security vulnerabilities in any of its Products, SonicWall may develop an update to remediate such critical security vulnerabilities ("Critical Update"). Customer agrees that SonicWall may, in its sole discretion, apply the Critical Update to any impacted Products in use by Customer. Critical Updates may be applied regardless of whether Customer has an active Maintenance Services agreement. Where practicable, SonicWall will provide advance notification of any Critical Update such that Customer can apply the Critical Update."
So SonicWall can at any moment install an update to your firewall appliance causing disruption to services and possibly introduce new bugs that impact your environment in a negative way.
I don't think this is a good idea. Customer should always have control of their environment. For example the recent management, SSL-VPN and IPsec vulnerabilities can be mitigated by disabling those services or limiting them with access rules.
If SonicWall decides that some appliance needs an update even with workaround applied, it could cause new issues for the customer. Maybe DPI breaks or NAT & access rules are deleted like with the 7.1.2 update. What happens if the customer downgrades because of this? Does SonicWall apply the update again?
This could maybe work with a hotfix release, but not with major releases. In any case the appliance needs to be rebooted which might cause trouble for the customer.
Comments
There's also this:
"(e) Failure to maintain current support services may result in: (1) a reduction or elimination of functionality, including the loss of security services; and/or (2) blocking of all traffic through the relevant appliance or service."
So they can brick appliances at their will. Looks like SonicWall really wants to shoot themselves in the foot. With already appalling technical support and buggy firmware, who in the long run wants to use their products anymore.
Firstly, it doesn't necessarily say it is or isn't a firewall appliance here, this might be about cloud services.
Secondly, I think they've started a new sales model with the TZ80 where you're "subscribing" to the firewall. Presumably the hardware is going to be cheaper in exchange for greater recurring revenue. So this license agreement change would be to support that.
That might be it, but since it's written in broad terms it leaves all options open. Critical Update isn't defined and it could apply to any product.
It both cases it should be defined to which products they apply and in what cases. Blocking all traffic might be ok if it's clear that it only applies to appliances sold as a subscription. Although I don't like that in general as a business model.
Thanks for your feedback and bringing attention to this topic. The recent changes to our terms address two separate issues. First, Section 10(f) clarifies that, in cases where products with critical vulnerabilities remain unpatched despite attempts to communicate the need to patch, we may take further steps to proactively apply patches in cases where that is an option. We understand that in some cases our products are being used by smaller businesses who may not be aware of the need to patch or may not understand the steps to take, so we want to ensure that they do not remain unnecessarily exposed to critical vulnerabilities.
The changes to Section 10(f) were made to clarify that in cases where customers have purchased products and services on a subscription basis, SonicWall may disable services when the customer stops paying for the subscription. This section applies in cases like SonicWall's newer SOHO subscription-based firewall offering.
So this is about on-premises equipment and not cloud services, then.
Clearly, mine is not an official SW response.
Yes, they are describing on prem hardware. Despite many repeated attempts to obtain current ownership information, they realize they have little to no control over, and limited understanding of who owns, the fleet of extant ancient hardware. Any one of those thousands of unpatched, vulnerable devices can potentially give the company a black eye when those sites are hacked/infiltrated or when data is exfiltrated. It doesn't matter the reason a firewall hasn't been updated in umpteen years. The press will say "a SonicWall firewall was used at the site of xyz breach." (Personal aside: I met with a prospect earlier this year who had a TZ400 installed in late 2018 that was never updated, nor were the subscriptions maintained. They got the device after they had been hacked… I dodged a bullet when they said, "No way!" after seeing how much it would cost to protect their environment.)
My conceitedly limited understanding of SonicWall's attempt with the new, significantly reduced-price TZ80 device along with its monthly-billed annual (yet perpetual) subscription is to clearly state: After the subscription expires, you have 90 days before the device will stop working. Therefore, if you want your client to stay in business and protect their investment, you must maintain the subscription. Does that make it more difficult for MSPs and other SW partners to manage this kind of fleet? Probably, but only time (and uptake) will tell. But the alternative, say of having a Gen 5 device still running without any security services and all the vulnerabilities, isn't a pleasant one.
And, as with all things SW, YMMV…
In the "stop paying, and your firewall shuts down after 90 days" business model, I wonder which is more likely:
a) Customer thinks "this Sonicwall that I've only had for a year or two already broke! I need a replacement quickly but I'm not buying one of these again!"
b) Customer renews their Sonicwall after a short break in service and all is well again. Customer vows to pay more attention in future.
There are always going to be customers who ignore/don't see/don't understand the increasingly urgent reminder emails about impending loss of service and then act all surprised and hurt when it actually happens.
How do Sonicwall competitors handle this business model, eg Meraki? Does it go off completely or degrade in some other way?
I haven't used Meraki but my understanding is that it goes off completely and without any grace periods. At least that's what I understood from a recent reddit post.
Someone also said that Meraki had made mistakes where despite customers renewing the services on time the order didn't go through properly and access was cut off anyway. So at least SonicWall has this grace period where if the renewal hasn't been processed properly there is a chance that you'll notice it in time, since I bet SonicWall will make the same mistake sometimes.
@Arkwright - my limited understanding from the presentation I didn't completely comprehend is that "customers" are not going to be able to purchase TZ80s; only SonicWall partners will be able to do so. Thus, the emails don't go to the customer, but to the organization that obtains the product and registers the support licenses. It will be up to the partner to convey the urgency of the subscription renewal to the client. If the client declines, they will need to find some other means of network protection before 90 days…
For any firewall manufacturer to have a back door into a firewall is plainly unethical and ought to be illegal, regardless of the motivation. You don't leave a key to your home with the fire department or the police department in case of an emergency and Sonicwall has no business updating firewalls on its own— for ANY reason.
Suppose someone threatens, bribes, or blackmails a Sonicwall employee into granting access to OUR firewalls (not THEIR firewalls). What then? Suppose an employee goes rogue? This sort of access simply should not exist, period.
You do realize that firewall appliances CONSTANTLY work with the SonicWall cloud to download/update files and information? There is NO "backdoor" here - everything is in the open, and has been all along.
For these new TZ80 devices, the implication is: if we, SonicWall, determine there's a threat from CVE-yyyy-xxxx, then we will update the device with the latest offering to protect it. (Yes, rebooting the device during operational hours will cause an outage - I've got nothing about that.) But the reason they are doing this is because there are literally tens of thousands of older devices that are NOT protected because no one takes care of updating them.
This process is absolutely NOT illegal. If you don't want to use this device with it's requisite monthly subscription and licensing terms, then don't. No one's forcing you to. You can continue to maintain your existing fleet the way you see fit. But if you're not updating based on existing threat levels, your clients may not be very happy if they are breached….