iOS 14

I got it this morning, and can confirm it works.

But, I discovered something very disturbing.  When exploring the new user interface, I tapped "Anywhere Access" and discovered that it says it was turned on!  I never, EVER enabled remote (WAN side) management -- there's not an chance in the world.  

Enabling remote (WAN side) management is a terrible idea from a security perspective, and killing that -- and UPoP -- are among the first things I check with any new device (or when I help out others).

And yet the app says it was on.  I know that it was not on a few weeks ago when I viewed my Orbi from the Web interface -- so how was it turned on?  Not by me!

Does this new iOS app enable it automatically?  If so, there needs to be a big red warning label.

I suggest everyone check theirs to be sure something isn't enabled without your knowledge.

---

Stev3D wrote:

Enabling remote (WAN side) management is a terrible idea from a security perspective, and killing that -- and UPoP -- are among the first things I check with any new device (or when I help out others).

---

Well, not so terrible as the UPnP-PMP panicked always want to see: It's not WAN side management - there are no ports opened and exposed - it's not Remote Access. Much more, the router does establish a link to Netgear's cloud from where only the authenticated can make use of Anywhere Access connecting back to your router.

No idea what might have enabled it - but then it was (and probably still is) the second chance for iOS 14 users not aware having to enable the Local Network Permission and/or users having enabled MAC based access control on their Netgear devices where the other brilliant Apple tin hat default named Private WiFi address (read a random MAC is used on every new connection) - unless disabled for the network - does definitively close the door.  The amount of posts here and on many other communities and support channels is exploding due to this overrated new security features - which are above the understanding for the average user base.

---

Stev3D wrote:

And yet the app says it was on.  I know that it was not on a few weeks ago when I viewed my Orbi from the Web interface -- so how was it turned on?  Not by me!

---

Here again. Two complete different things.

Originally Netgear used the terms "Remote Access" for the exposed port/service (this is what we can control from the Web UI), and "Remote Management" for the cloud based access, later they made a mess out of it and used the same "Remote Access" designation. The new name for the cloud based access was changed to "Anywhere Access" - which was and is only controllable from the App. 

schumaku , I appreciate the explanation of the difference between Anywhere Access and Remote Management (I just assumed Anywhere Access was NETGEAR's fancy brand name for remote management -- not unlike Apple's "Private [Wi-Fi] Addresses" label you dis).  And while I still don't want the WAN-side tunnel to NETGEAR's cloud, but it isn't the "hair on fire" issue I thought it was.  

I am a fan of the random MAC address feature that Apple rolled out (great tracking prevention), but it does mean that Netgear (and other manufacturers) need to alert users who use MAC addresses for admission control and IP address assignments that they must have people turn off Private [Wi-Fi] Addressing for the SSIDs they manage.

Security is never easy, but in-security is -- you get what you pay for.

---

Stev3D wrote:

  I am a fan of the random MAC address feature that Apple rolled out (great tracking prevention), but it does mean that Netgear (and other manufacturers) need to alert users who use MAC addresses for admission control and IP address assignments that they must have people turn off Private [Wi-Fi] Addressing for the SSIDs they manage.

---

Nope - fully disagree! There are many valid reasons why admins configure MAC address for admission control - a huge effort by the way.

It makes absolute no sense to enable this random MAC on your private home or business network. Nobody is tracking you on your own home or business network my friend - much more it does break standard security and network management. We've started to capture devices coming to our managed network infrastructure with local MAC and put them up to a dedicated VLAN where they get information on how to disable this mess. A unique ID - like the device MAC - is required for monitoring and auditing reasons in business environments btw.

As IT security operations, as the owner of the network, as the owner of the business, we have the right to see the unique MAC assigned to the device, regardless if this is a business owned or BYOD. 

And there is no reason why network admins should disable the MAC based access lists.

---

Stev3D wrote:

Security is never easy, but in-security is -- you get what you pay for.

---

That's exactly why disabling the MAC access control isn't an opiton.

My network, my responsability: Access only with the real Wireless Adapter MAC. Any CIO, any IT security person, any IT auditor will agree.

Your network - your rules. I don't care. 

And telling the admins to disable the MAC access control can't be the solution.

schumaku , you either mis-read or misunderstood what I wrote.

You wrote, "There are many valid reasons why admins configure MAC address for admission control - a huge effort by the way."

That was my point; I use MAC address filtering / admission control on all my networks because I want to know (and I do track) and control what devices are there.  MAC Address filtering is not fool-proof (because addresses can be spoofed), but that does add an extra bit of complexity for intruders.  So anyone using my network is required to disable it -- just like you do.

I am a fan of what Apple has done, even if it makes for extra work for me, because so many people are suckers for "free" Wi-Fi and the like.  Sure it's a bit more work for us, but it does serve the greater good.  People who understand networks can do the work, people who are clueless need our help and support -- because the jackals that are the information brokers are taking advantage of their naivety. 

And I wrote, "but it does mean that Netgear (and other manufacturers) need to alert users who use MAC addresses for admission control and IP address assignments that they must have people turn off Private [Wi-Fi] Addressing for the SSIDs they manage."

In other words, people like us (and organizations like Netgear) need to tell users to turn off "Private Addressing" for the SSIDs we manage.  I did not write that we need to turn off MAC Address filtering on our networks.  But I see that my wording may have been less than 100% clear.

So, I think we are in "violent agreement" that Private Addresses are not needed on managed networks, but we do seem to differ as to whether it is a good thing in general or not (I think Apple has done the world a service, even if it adds to complexity on properly managed networks).

Peace.

Post-posting proof reading:  When I wrote "So anyone using my network is required to disable it -- just like you do" the "it" here was Private Addressing (I should avoid the use of pronouns).

Peace <3

Don't take me wrong: There is nothing wrong with the offering random MAC addresses for WiFi connections..

Not acceptable was the iOS 14 (and iPadOS 14, WatchOS 7) forced this on by default on all known connections. Instead, they should have asked the user - while connecting to an SSID for the first time following the update - if the feature should be enabled for this network. And not let people alone and often offline without their home WiFi Internet connection... 

Not acceptable again was the iOS 14 introduction of the new Local Network Permission. For not yet updated and legacy Apps, they should have asked on launching the App for the first time (in the forgrund or as a background service) that it appears that the App does require LAN access, and allow to grant the permission if required. And not leave users out there alone with non-workable Apps.

Simply a bad job by Apple. And how they were praised for this - at lest before iOS 14 was rolled out widely. Gee, I was starting to love em ....

Alphabet did it much better with Android 10 rolled out following a very long test period some weeks before iOS 14 First, they listened to us IT professionals and not to the generation tin hat! Existing WiFi connections configured had not been reconfigured for enforcing the randomized MAC. Permissions of long-time non-used Apps will be removed, being for the new A10 permission system or the legacy permission scheme. When open the Apps later again, the user is queried to allow the permissions required by the App again.