CUJO Firewall: Approach with Caution

In my previous post I did an introduction to whole-home Internet security.  For the last few months I’ve been trying to get one of the early devices in this category, the CUJO working.  I have now tried CUJO in two totally different networking setups, and failed to get it working properly in either. I had total failure in one and a partial failure in another.

What sets CUJO apart from other devices currently hitting the market is that it is a separate security firewall, not a new router or router feature.  That suggests you can upgrade, rather than replace, your existing network.  Given some may have unusual networking needs to address, the CUJO approach would seem to offer the flexibility that some of us need.  It also would seem to address the problem of how to add security to the modem/router/access point that your internet provider supplies.

I have three home network environments that I can use to try out new products.  The first is as simple as it gets, and likely represents the environment of most Americans.  It is a 2-bedroom condo with Comcast Xfinity as the Internet provider.  Since it is small, the Xfinity combination cable modem/router/access point is completely adequate and thus its base networking setup is extremely vanilla.  The second environment has Centurylink as its Internet provider.  It uses a Centurylink-supplied Zyxel modem/router/access point, except I turn off the AP in favor of using a Netgear Orbi for WiFi.  Though not purely an Internet Provider default environment, it doesn’t stray too far either.  The third environment is very complex due to the lack of any landline Internet provider.  As I didn’t try the CUJO there, I’ll leave out the details.  All three environments contain a number of IoT devices, which leads to complexity on the LAN side.  For example, there are definitely too many ZigBee/Zwave/BLE bridges because despite using standardized protocols many vendors requires a bridge of their own.  But again, that is another story.

My first attempt to get the CUJO working was in the condo, which I often use as a test bed because…my wife is infrequently there so she will never know how badly I mess things up!  There, I said it.  So I get my CUJO, watch the videos, read everything I can find, and get ready to set it up.  I discovered that with Xfinity you need a real hack to get CUJO to work.  I’m not above hacks, so I go ahead and follow the instructions to get it working.

Before we get into that let me summarize how I understand CUJO gains access to your network traffic.  You disable the DHCP server (the thing that hands out addresses to each device in your network, like 192.168.0.23) in your router and let CUJO serve up DHCP addresses instead.  Along with the DHCP address CUJO provides the LAN-side address of the Gateway that the device should talk to in order to send data out over the Internet.  CUJO tells every device to use it, rather than the router, as the gateway.  That way every network packet to and from the device goes through the CUJO.  CUJO can then sniff packets for malicious content, block accesses to bad URLs, and monitor for unusual communications patterns that might indicate a device has been compromised.  For those who really care, CUJO also sets itself up in a sort-of double-NAT environment.  It sets itself up as the gateway at 192.168.0.1, with DHCP handling out 192.168.0.x addresses, and changes your router to sit at 10.0.0.1.

The problem with Xfinity-supplied routers is that you can’t turn off their internal DHCP server.  So instead CUJO came up with the hack I linked to above.  I tried the hack on my router and could never get CUJO to work (it would always end up with its LEDs making the frowning face).  CUJO has easy access to support.  I talked to support, tried a few things, then let them connect into my router to try to get it configured.  We never did get it to work, and the technician suggested I try doing a factory reset of the router then install CUJO again.  At this point I’d spent most of a day on the problem, and decided I couldn’t face all the things that could go wrong with a factory reset.  So I managed to undo the CUJO hack and get my home network working properly again.

The CUJO sat in my cabinet for months, until I realized it was there and that Xfinity had since sent me a newer generation modem/router/AP.  By definition, it had been “reset”! Of course they didn’t make it possible to disable the DHCP server, so CUJO’s hack was still necessary.  Having a couple of hours before I needed to leave for the airport, I reset and again installed the CUJO. The results were no better, once set up according to CUJO’s instructions my home network became completely inaccessible. And without a functioning DHCP server, even after removing the CUJO I struggled to regain access to the Xfinity router and return it to its proper configuration. I had to delay my departure for the airport, and nearly missed the flight, to get my home network back working properly before leaving. I could have tried calling CUJO support again, but I’d already spent way too much time on this device and was running up against that deadline.

Instead I’ve concluded that if you have Comcast Xfinity, don’t go anywhere near the CUJO.  I’m not saying you can never get it to work, just that it is not worth the likely aggravation of trying.  Xfinity subverts the basic mechanism that CUJO uses, and the hack means you are caught in the middle.  You could also replace the Xfinity-supplied modem/router/AP with separate non-Comcast components, and add CUJO to that, but it isn’t a normal consumer thing to do.

With CUJO and Xfinity not playing together I decided to try the CUJO on my CenturyLink network. I knew the Zyxel modem/router/ap allowed you to turn off DHCP, so it should work the way that CUJO is designed for. I followed the instructions in the CUJO app, which automatically configured the Zyxel.  Over a few hours all the devices in my house were recognized by CUJO, and were working correctly. All except a couple of WiFi security cameras. I waited 24 hours for their TTLs to expire to be sure they reached out to DHCP for a new address, but that didn’t help.  They just wouldn’t join the network.

I looked at the instructions for my cameras and they mentioned a number of cases where they could lose WiFi connectivity (e.g., switching network gear). I took one of them and went through its process for connecting to a new network. To make along story short, it was unable to get an IP address from DHCP. I did a hardware reset on the camera and tried the reconnect, no luck. I tried unplugging and re-plugging in the Zyxel, CUJO, and Orbi.  Well first my entire network got screwed up.  Nothing could connect to WiFi for the longest time.  My wired Ethernet connected PC picked up completely bogus information that I couldn’t clear with any imaginable combination of IPCONFIG commands, or the network troubleshooter.  It appeared that it had gotten some information from the router’s DHCP and some from the CUJO’s DHCP, which would make sense later.  It took a reboot to regain a useful Internet configuration.  I then tried to connect the WiFi camera again, with the same result.  It couldn’t get a valid IP address.

At this point I’d wasted hours and was no closer to getting CUJO working correctly, so I decided to remove it from my network.  When I went in to turn back on the DHCP server in the Zyxel I was surprised to find it was already on.  I don’t know if the CUJO app had failed to turn it off, or if the Zyxel somehow turned its DHCP server back on.  I thought about just turning it off, and manually verifying the configuration was proper for the CUJO, but realized it would take days to be confident that the change would “stick” and be comfortable the CUJO was working properly.  So instead I changed the Zyxel back to sitting at the gateway address, removed the CUJO, and rebooted the Zyxel and Orbi.  My network came back with all devices working.  I had to finish the setup of the camera that I’d done a factory reset on, but this time it went smoothly.  Now I had failure with CUJO on both Xfinity and Centurylink.

So conclusion number two is that even though CUJO has tried to make setup consumer friendly, it just doesn’t work reliably enough.  I’m even more sure I could have gotten the Centurylink setup to work properly, if I wanted to spend another few hours between setup and testing, than I was with the Comcast Xfinity setup.  But I worry it is all too fragile.  Because of that, I just don’t think I’ll be giving the CUJO another shot.

 

Advertisements
This entry was posted in Computer and Internet, Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s