Unifi multi-site or multiple controllers

liquidjoe · May 2, 2024, 12:25pm

Do you guys run separate Unifi controllers for each company, friend, or family member that you manage? Or do you rely on the multi-site feature in Unifi?

My concern with running everything on one Unifi host is security. This would be a nice way for something nefarious to jump from one domain to another. Not sure I have a lot of faith in Unifi’s system controller being the sole gatekeeper to that pathway.

I’ve been going the separation route with different containers. Spinning up another one for a friend and wondering if the trade off between security and convenience is worth it. Maybe I will put everybody else on one controller and keep mine separate. But my conscious feels a little guilty giving myself special treatment.

Is this security concern rational?

mattsowders · May 2, 2024, 12:55pm

I, myself, run separate controllers. I don’t trust keeping everything on one controller for security reasons. Rational to me!

Paul · May 2, 2024, 1:02pm

One controller for all clients,

When you have around 50 clients, having to manage seperate controllers , unifi changes would be an extra workflow of managing the unifi setup

LTS_Tom · May 2, 2024, 1:18pm

We keep out clients in one controller. We DO NOT expose the UniFi controller management ports we only have open the ports needed to allow for the devices to work.

Paul · May 2, 2024, 1:21pm

Unifi recently are petty good on security issues and releasing new versions.

If you keep the underlying operating system up to date, and update the controller software when new versions are released , I can not see any security risk (does not mean any down the line at a later date)

With Tom, not external Unifi Controller web console

liquidjoe · May 2, 2024, 2:11pm

Yeah, my management ports are locked away tight. Well, actually I let them login to their own mgmt console since it is isolated and tunneled through a vpn.

My concern is the controller itself would be exposed to the various AP networks from completely different entities. Relying solely on Uinfi for that separation is… uncomfortable. It would be trivial to have direct access to the controller via the AP protocol, and probably not super hard to get the credentials off an AP. If they pop (or side step it) the controller they have lateral movement to all remote sites.

But it sounds like most people trust unifi to hold the line.

Also, I am about at the point that managing these containers is going to warrant ansible. I solve that right now by ignoring updates for as long as possible.

Paul · May 2, 2024, 2:34pm

I would say this is not possible as I would say everything is done on the device mac address.

The only way for a device to move to another company, if you manually move it to another site

Marin · May 2, 2024, 3:41pm

What is the best way to test for open ports in a system that includes pfSense as the primary firewall and a Unifi CKG2+ as the controller? I have this plus 3 different VLANs (test, IOT and camera).

Thank you!

liquidjoe · May 2, 2024, 5:43pm

I don’t follow your mac logic. I think one of us is confused. The unifi controller has to route into company A & B. If unifi has a vulnerability then horizontal movement is possible. That attack surface grows as the company list grows.

I only have TCP/UDP ports 8443 and 8080 open. Both ways, in & out.