20 reasons why you should consider the picoNet 20th Anniversary Edition as the Edge Server for your co-working space [ draft ]

Whilst Lightspeed itself was born in 1998, many long nights and weekends would take place and it wasn’t until 2000 that our first edge gateway – picoNet would become the first broadband router/firewall in the world. Over time, we would cede the broader corporate market to router appliance manufacturers like Alcatel, and subsequently, Linksys and Asus and their ilk – as we moved on to solving the problems of large enterprises and Internet Service Providers (ISPs).

So, it is with great delight that we embark on a 20th Anniversary Edition to mark our return to the corporate market. This is because the pandemic has reshaped the workplace, and the simple job of keeping the “bad guys” out of a single door (your office Internet connection) has been replaced by allowing only the few “good guys” to access your corporate data assets. Strange as it might sound, those “budget” boxes by everyone including Cisco – simply cannot scale to provide “wirespeed” VPN to support 100% of your workforce doing Work From Home (WFH) – you know it’s bad when even your VPN maker can’t cope with demand from it’s own staff – https://www.theregister.com/2020/04/02/cisco_rations_staff_vpn/

Even though you’re not likely to have as many employees as Cisco, the problem remains clear – 99.9% of firewalls in the off-the-shelf market were designed for somewhere between 2% and 10% of the workload coming in from encrypted sources like VPN, and they skimped on the CPU resource. As a rule of thumb, if your firewall does not have a Geekbench CPU rating, it’s time to throw it out and start from scratch.

Our platforms of choice remain unchanged – hardware is provided by leading manufacturers like Lenovo, Dell and HP, and software is 100% OpenSource ( Linux, nftables, iptables, squid, OpenVPN etc for those of you in the business) for the best-of-breed security that can only come about when you have many pairs of eyes on the code, as compared to the Proprietary Source that is beloved of nearly all security manufacturers as they attempt for “Security by Obscurity”, which has never worked to begin with but is now painfully obvious with zero-day exploits of nearly all firewall manufacturers.

A nod to Co-Working and their special needs which have driven the development of this 20th Anniversary Edition – as it turns out those were exactly the needs of all corporates in face of a pandemic.

1. Malware protection

Because users necessarily BYOD (Bring Your Own Device), the “workplace” LAN does not have the ability to enforce at the endpoint-device level what equipment, configurations, protection may be in play.  As such, a single misconfigured endpoint can easily launch an attack against all other endpoints within the same network – all the problems of working in a public Wi-Fi like Starbucks remains true in all co-working spaces presently (not just TGR). CW (like EE) includes Malware Protection that blocks malicious domains comes from 19 threat feeds including (amongst others) IBM’s X-Force, Abuse.ch, Anti-Phishing Working Group (APWG), Cisco, F-Secure, Proofpoint, RiskIQ, and ThreatSTOP. This results in the best-in-class performance in terms of threat confidence (minimal false -ve or +ve).  As of 1st June 2020, we block 97% of confirmed malware sites correctly before they reach the endpoint, which compares favorably to Cisco Umbrella which catches less than 3%, or Cloudflare Enterprise which blocks just 56%.  Whilst this does not mean that solutions like Symantec End-Point-Protection (EPP) are not needed (some things can only be detected at a per download level), it certainly makes the co-working space  a significantly more protected environment than Starbucks.

2. Virtual firewall per public IP

With picoNet, we virtualize the firewalls on a per publicly-addressable device.  This is possible using techniques such as SNAT, DNAT, IP Aliasing, which combine to provide a virtual firewall per tenant IP (can also be applied to entire dedicated office when this is extended to include InterVLAN firewalls).  Member devices can be configured directly with the public IP, eliminating the need for (and significant overhead associated with) one-to-one NAT (as is practiced by current Peplink and nearly all enterprise firewalls).

3. Bandwidth control per public IP

Because each location is likely to have n x 1Gbps (minimum of n=2), it is advantageous to adopt ISP style bandwidth selling.
Currently, we are able to subdivide into 10/100/1000 Mbps on the switch level, provided that the member equipment that is connected supports those options (most equipment newer than 2015 only supports 1Gbps).  As such, we sell “reserved bandwidth” but have no way to actually provide, measure, or prove that the member gets the purchased bandwidth.

4. Rental of virtual firewalls

Because of PNCW and PNEE open-server architecture, we can support firewall “rental” for members who have their own ISP, wish to have a proper Enterprise-grade protection (don’t trust consumer-grade router/firewall combos) but due to short lease terms prevalent in co-working, prefer not to commit to paying $10,000+ for a “real” firewall,

5. InterVLAN firewall and VPN access

A common request amongst TGR DO members is the ability to access NAS and Printer in their own office securely.  Currently, Intervlan routing is all or nothing.  What can address the business need is to allow members on @TGRO wifi and working from home to connect simply and securely to their in-office resources.  PNCW supports the most popular VPN protocols including IPSEC and SSL VPN already and hopes to include Wireguard for the next release.

6. Modular Design

Unlike the usual monolithic firewall appliances where you need to decide at the time of purchase what your network needs for the lifetime of the firewall will be (5 to 7 years) –  Lightspeed’s design philosophy is to allow you to evolve your box by replacing/adding CPU/RAM/Storage/Network interfaces.

7. Extensible at lowest cost per port

Unlike proprietary interfaces, Lightspeed uses Open Standards for interfaces like PCIe-x16.  As such, the cost per additional port is often under USD100/port, which is 10x-100x cheaper than proprietary interfaces from Cisco/Juniper.

8. Highest quality, lowest cost

By using industry-standard parts, Lightspeed is able to partner with HP/Dell/Lenovo – the world’s largest server manufacturers – to produce the hardware at scale, and achieve economies of scale not possible even by the largest networking manufacturers in the world.  For network expansion, we also curate the best-of-breed NICs from Intel (as opposed to cheaper, less stable chipsets from Broadcom/Realtek/Marvell, which are normally used in firewalls.  The enterprise quality chips from Intel include hardware offloading and other tweaks allow full wire-speed, compared to other chipsets that deliver only a fraction of the rated throughput in real-life testing.  If the other platform you are considering does not specify the NIC chipset, then it’s definitely not Intel.

9. Edge Server, not just a firewall

Because Lightspeed uses only industry-leading server platforms, the box on the edge of your LAN is more than just a simple “gateway” – full Docker/Kubernetes support allows you to run and scale container workloads (most commonly PBX, and other network controllers like LDAP/Radius/DHCP/DNS).   Intel and AMD server-class CPUs make gateways from Lightspeed around 1000x faster than your average firewall.  Our Geekbench 4 scores start at 13,000 – and go all the way up to 200,000. Chances are any proprietary firewall you might be evaluating will have a score less than 500 (if they even dare to publish scores).  By way of comparison, most mid-range mobile phones achieve scores of between 5000 to 8000.

10. USG Compatible Reporting

For those of you on the UniFi Wi-Fi controller, you’ll be happy to know that PNCW generates XML reporting that conforms to UniFi controller standards.  This means you can visualize your entire network from endpoints to access points to switches to the gateway on a single pane of glass without compromising on gateway performance.  Our gateways can emulate anything in Unifi’s gateway range – from SG3 to XG-8, but with the performance starting at higher than an XG-8.  For port configurations exceeding 8 ports (9 thru 16) – you can use native reporting instead to the monitoring system of your choice (Cacti etc).

11. Open Systems, Open Standards

Lightspeed prides itself at conforming to all Internet and Industry standards. Amongst other things, all our systems are built on well tested OpenSource components and assembled in ways that realize the highest performance in their class. You can expect to see all the current acronyms – DNS over TLS (DoT),

12. Service Provider Validated Solutions

Unlike many SMB and Enterprise vendors, we originate our solutions in the Service Provider space.  Our systems power ISPs throughout the ASEAN region, including but not limited to Starhub in Singapore, Digitel (now part of  PLDT) in the Philippines, and  Cambodia Data Communication (CDC) in Cambodia (obviously).  What you get are systems that are “battle-tested” in an unrelenting, unforgiving high-volume environment, not stuff that looks good in lab results.

13. Full ISO27001 Support

From a governance standpoint, no other firewall has full support for version management of the actual configuration files – picoNet has full support for RCS, SCCS or even GitHub private repositories to be the single source of truth for your security configurations, plus have the proper multi–step process to propose, accept, validate, and then apply firewall rules so that a single entry-level firewall engineer can no longer accidentally (or purposely) bring the entire enterprise to a halt.

14. 20 years in the making

Lightspeed produced the world’s first broadband corporate gateway in 1999 and has quietly revolutionized the Internet landscape in Singapore and the region by driving standards adoption across some of Asia’s most highly valued companies.