MDS Mitigation: any reason that's not enabled automatically?



  • Looks like this is new in 2.5, and I became only aware of it, as in the dashboard I recently discovered "MDS Mitigation: Disabled".
    So I was wondering what that was, and found a new setting in the System > Advanced > Miscellaneous section.

    The options there are
    Default (whatever that is)
    Disabled
    VERW
    Software
    Automatic

    My system had disabled, and I switched it to Automatic, now it operates in VERW mode.

    Anything that speaks against putting this in Automatic mode by default, after upgrading from 2.4.x?
    Any reason anyone would want to have that disabled?



  • Why enforce a performance penalty on everyone instead of only on those who need that functionality? If no Intel, you don't need this. If no multi-tenant environment, you probably don't need this.


  • LAYER 8 Global Moderator

    Even if a multi-tenant.. I dont' really see how the these sorts of exploits are real concern on a "firewall"

    And yeah its going to be a performance hit..



  • @KOM Well, I have an intel system, and the software should be able to tell that quite easily...

    @johnpoz If the exploit isn't a concern, then why even provide the option to mitigate?

    I have a rather binary view on things like these: either it's a problem, then it needs to be fixed; or it's not, then there's no need for a fix.
    You're telling me, it's not a problem, but here's a fix anyway... :D


  • LAYER 8 Global Moderator

    It could be a problem if were say running 3rd party code on your firewall that is untrusted. Or allowing users to access said firewall that could exe code.

    But in the vast majority of your typical firewall deployment this would not be a concern, in its present form.

    You also have those people that would scream and complain that why isn't xyz implemented... Even though not actually a concern.

    So you make it available, and those that "want" to implement it can - but with it being a performance hit.. I have to think that it would be the rare oddball use of pfsense that this could ever come into play as a concern.



  • @rcfa If you want to impose a 10-15% performance penalty on your firewall for no real reason, go ahead and apply the mitigation. I wouldn't bother.


  • Rebel Alliance Developer Netgate

    It's not on by default because it doesn't impact most users an appliance role.

    You could turn it on if you want if:

    • You have other users who login to the firewall who can run arbitrary code (e.g. from shell or Diag > Command), but they already probably have access to read anything this exploit would get them
    • You run something on the firewall from an untrusted third party repository or package source
    • You have enabled some other situation we didn't cover that has a way to run untrusted code on the firewall.

    It's there if you need it, it's there if you want it, but for most people using pfSense in its typical roles, it doesn't come into play.



  • @jimp OK, thanks, that is helpful.

    Seeing that many/most who are not full-time engaged in computer security issues don't have specific knowledge what implications individual, specific vulnerabilities have, a quick explanation alongside the setting might be helpful, because without knowing specifics, the standard reaction is: vulnerabilities are to be fixed, holes to be plugged, particularly in a network border security appliance.

    So without the above explanation, the question as to why it's not automatically turned on arises, and why it's meaningful to have it turned off in most cases isn't addressed.

    So a short text there, explaining the setting, might be helpful (when needed, performance impact, etc.)



  • There's Google for that. Explaining a CPU vulnerability, the mitigation and why you may or may not need it is a little more than a tooltip can handle. Personally, I don't want paragraphs of text wrapped around every option.



  • @KOM said in MDS Mitigation: any reason that's not enabled automatically?:

    There's Google for that. Explaining a CPU vulnerability, the mitigation and why you may or may not need it is a little more than a tooltip can handle. Personally, I don't want paragraphs of text wrapped around every option.

    A system that has configuration options, should explain them, particularly if they are non-obvious. Otherwise why even bother with a user friendly web interface? Just use the CLI, then you're not bothered by any "useless fluff".

    Right now, the description there is:

    "Microarchitectural Data Sampling mitigation. If disabled the kernel memory can be accessed by unprivileged users on affected CPUs. This option controls which method of MDS mitigation is used, if any."

    It doesn't take much to add:

    "MDS will not impact system security in standard use scenarios, however mitigation will incur a 10-15% performance penalty. The option exists for non-standard system use, such as e.g. installing untrusted third party software packages. For this reason, mitigation is disabled by default."


  • LAYER 8 Global Moderator

    You do understand pfsense is open source right - you could submit that wording if you wanted to..
    https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html



  • A system that has configuration options, should explain them, particularly if they are non-obvious.

    There's the rub: what's 'obvious'?

    Otherwise why even bother with a user friendly web interface?

    To enable you to get the job done quickly. I don't know why some people have this "GUI means it's easy" mindset. GUI makes it convenient but not necessarily easy. You still have to know what you're doing. The GUI gives you common options grouped together in an easy to work with interface. It's not meant to be a replacement for the manual, or to supply general knowledge about networking, computing etc.

    Just use the CLI, then you're not bothered by any "useless fluff".

    I know what I'm doing from a networking perspective. I don't necessarily know how to achieve what I want on FreeBSD via CLI.



  • @KOM said in MDS Mitigation: any reason that's not enabled automatically?:

    A system that has configuration options, should explain them, particularly if they are non-obvious.

    There's the rub: what's 'obvious'?

    A bug with a particular CPU architecture is non-obvious for anyone who's not steeped in computer security.

    You can't compare that with knowing what a port, IP address, packet, netmask, etc. is. There are basics one must know to meaningfully use a particular tool, so basic networking knowledge has to be "assumed known" when dealing with a tool like pfSense.

    What MDS is, and how it affects a firewall/routing/VPN software platform isn't standard knowledge, and thus can't be "assumed known".

    The suggestion to google this information is almost as meaningful as certain ISPs suggesting you use their online ticketing system if you experience trouble with your internet connection... ;)



  • @johnpoz said in MDS Mitigation: any reason that's not enabled automatically?:

    You do understand pfsense is open source right - you could submit that wording if you wanted to..
    https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

    Thanks. I'll have to look into this. However, since for the most part I'm not doing sw development anymore, and even less so on FreeBSD or network programming, the number of contributions I'm likely to make to the code base is minimal, so to set it all up for two lines of text is a bit much.
    I may set it all up in the future, when I'm less pressed for time by other matters, "just in case", but right now I can't.


  • LAYER 8 Global Moderator

    Well you could be the grammer, description police if you will ;) And just submit PRs for the gui description stuff ;)



  • @johnpoz "grammar"

    ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜†

    ๐Ÿ˜˜


  • LAYER 8 Global Moderator

    hehehe - I did that on purpose ;)


Log in to reply