💬 Discussion | Network Security - Open Sourced Routers & Firewalls #680

New Issue

2018-12-22T18:23:09Z

hugoncosta commented

2018-12-22 18:23:09 +00:00

(Migrated from github.com)

Idea originated from PR #675
Currently, the only network security related section we have only speaks about routers, but as we all know, firewalls, both inside the router and in the actual device play a crucial role in the protection of outside intruders and especially those within our networks. So the idea would be to create a joint category that also spoke about network security software, such as firewalls, for end-user devices.

In my mind, it'd look something like
Network Security

Routers
OpenWRT, etc
Software
Firewalls, ?

Which software should be added? Which ones should be the category staples, which ones worth mentioning, you know the drill.

In the PR, @asddsaz has already mentioned 3 pieces of software, Firejail, Gufw and Flatpak

Idea originated from PR #675 Currently, the only network security related section we have only speaks about routers, but as we all know, firewalls, both inside the router and in the actual device play a crucial role in the protection of outside intruders and especially those within our networks. So the idea would be to create a joint category that also spoke about network security software, such as firewalls, for end-user devices. In my mind, it'd look something like Network Security - Routers OpenWRT, etc - Software Firewalls, ? Which software should be added? Which ones should be the category staples, which ones worth mentioning, you know the drill. In the PR, @asddsaz has already mentioned 3 pieces of software, [Firejail](https://firejail.wordpress.com/), [Gufw](http://gufw.org/) and [Flatpak](https://www.flatpak.org/)

asddsaz commented

2018-12-22 18:26:31 +00:00

(Migrated from github.com)

Firejail is for sandboxing not necessarily a network firewall.
Flatpak is a distribution method with built in easy-to-use sandboxing. None the less, they can significantly improve security.

Some articles on Firejail:
https://www.makeuseof.com/tag/firejail-simple-way-improve-security-linux/
https://ownyourbits.com/2017/10/29/sandbox-your-applications-with-firejail/

Firejail is for [sandboxing](https://www.wikipedia.org/wiki/Sandbox_(computer_security)) not necessarily a [network firewall](https://www.wikipedia.org/wiki/Firewall_(computing)). Flatpak is a distribution method with built in easy-to-use [sandboxing](https://www.wikipedia.org/wiki/Sandbox_(computer_security)). None the less, they can significantly improve security. Some articles on Firejail: https://www.makeuseof.com/tag/firejail-simple-way-improve-security-linux/ https://ownyourbits.com/2017/10/29/sandbox-your-applications-with-firejail/

ghost commented

2018-12-22 18:36:22 +00:00

(Migrated from github.com)

We recommend the Czech Turris Omnia router for home users: https://omnia.turris.cz/en/

Most components are open hardware
It runs customized OpenWrt and open source software only
You can add your own hardware components and customize the software setup
At the same time, it comes with an easy-to-understand web interface for non-technical people

We wrote several articles about it: https://infosec-handbook.eu/as-hns/

We recommend the Czech _Turris Omnia_ router for home users: https://omnia.turris.cz/en/ - Most components are open hardware - It runs customized OpenWrt and open source software only - You can add your own hardware components and customize the software setup - At the same time, it comes with an easy-to-understand web interface for non-technical people We wrote several articles about it: https://infosec-handbook.eu/as-hns/

👍 1 👎 2

ghost commented

2018-12-22 18:49:53 +00:00

(Migrated from github.com)

Yeah Turris Omnia is a very interesting project. I really like the Czech NIC.

hasanalizxc commented

2018-12-22 19:46:59 +00:00

(Migrated from github.com)

Are you sure is it for home users? I checked price and it is expensive for a home user.

Firewall: pfSense

Are you sure is it for home users? I checked price and it is expensive for a home user. Firewall: pfSense

ghost commented

2018-12-22 19:57:01 +00:00

(Migrated from github.com)

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

👍 1

hasanalizxc commented

2018-12-22 20:13:14 +00:00

(Migrated from github.com)

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.

> > > The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt? I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.

ghost commented

2018-12-22 20:21:33 +00:00

(Migrated from github.com)

Note that the operating system of the Turris is open source.

beerisgood commented

2018-12-22 20:22:34 +00:00

(Migrated from github.com)

@hasanalizxc IPFIRE for example is another good one

👍 1

hasanalizxc commented

2018-12-22 20:26:37 +00:00

(Migrated from github.com)

@beerisgood Bookmarked.

ghost commented

2018-12-23 11:40:33 +00:00

(Migrated from github.com)

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.

Yes, it is for home users, and yes, for some home users it may be expensive. However, there is no universal definition for "expensive". Let the user decide if he or she wants to buy it.

Besides, all software (e.g. OpenWrt, pfSense, Endian Firewall, IPFire, OPNsense) needs hardware to run it.

> > The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt? > > I think so. It is very expensive for a home user. Using pfSense or another open source OS is better. Yes, it is for home users, and yes, for some home users it may be expensive. However, there is no universal definition for "expensive". Let the user decide if he or she wants to buy it. Besides, all software (e.g. OpenWrt, pfSense, Endian Firewall, IPFire, OPNsense) needs hardware to run it.

hasanalizxc commented

2018-12-23 12:08:50 +00:00

(Migrated from github.com)

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.

Yes, it is for home users, and yes, for some home users it may be expensive. However, there is no universal definition for "expensive". Let the user decide if he or she wants to buy it.

Besides, all software (e.g. OpenWrt, pfSense, Endian Firewall, IPFire, OPNsense) needs hardware to run it.

Let the user decide OK but this is not exactly for home users. Can be partly %50.

> > > > > The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt? > > > > > > I think so. It is very expensive for a home user. Using pfSense or another open source OS is better. > > Yes, it is for home users, and yes, for some home users it may be expensive. However, there is no universal definition for "expensive". Let the user decide if he or she wants to buy it. > > Besides, all software (e.g. OpenWrt, pfSense, Endian Firewall, IPFire, OPNsense) needs hardware to run it. Let the user decide OK but this is not exactly for home users. Can be partly %50.

hugoncosta commented

2018-12-24 13:20:07 +00:00

(Migrated from github.com)

I believe the router idea, even though a bit hard to swallow by home users, especially those that are new to this neck of the woods, would be a good inclusion to #616. Regarding network security, I'll whip up something with the two current distinctions and we'll move on from there.

kewde commented

2018-12-24 18:13:32 +00:00

(Migrated from github.com)

I don't think on-device firewalls are worth discussing, all operating systems that I've come across come with secure-by-default firewall settings.

Things worth discussing IMO:

Router firmware (builtin Tor, VPN?) and their hardware
IPS
IDS
Honeypots

There are some security remarks to be made against the OpenWrt Transparent Tor implementation. The Tor Browser remains the best solution (Control port, additional fingerprint hardening, general browser security, ..).
On the topic of routers, I think it's also worth noting the maximum transmission speed (10 Gbps?).

I don't think on-device firewalls are worth discussing, all operating systems that I've come across come with secure-by-default firewall settings. Things worth discussing IMO: * Router firmware (builtin Tor, VPN?) and their hardware * IPS * IDS * Honeypots There are some security remarks to be made against the OpenWrt Transparent Tor implementation. The Tor Browser remains the best solution (Control port, additional fingerprint hardening, general browser security, ..). On the topic of routers, I think it's also worth noting the maximum transmission speed (10 Gbps?).

asddsaz commented

2018-12-24 19:55:52 +00:00

(Migrated from github.com)

We recommend the Czech Turris Omnia router for home users: https://omnia.turris.cz/en/
* Most components are open hardware

* It runs customized OpenWrt and open source software only

* You can add your own hardware components and customize the software setup

* At the same time, it comes with an easy-to-understand web interface for non-technical people
We wrote several articles about it: https://infosec-handbook.eu/as-hns/

Turris is not open-source and has no plans to change this.
Source: https://forum.turris.cz/t/is-turris-applying-for-ryf-certification/8602
Therefore, they do not meet the contribution guidelines.

The only routers that I believe meet these standards are these: Minifree, and ThinkPenguin.

> We recommend the Czech _Turris Omnia_ router for home users: https://omnia.turris.cz/en/ > > * Most components are open hardware > > * It runs customized OpenWrt and open source software only > > * You can add your own hardware components and customize the software setup > > * At the same time, it comes with an easy-to-understand web interface for non-technical people > > > We wrote several articles about it: https://infosec-handbook.eu/as-hns/ Turris is not open-source and has no plans to change this. Source: https://forum.turris.cz/t/is-turris-applying-for-ryf-certification/8602 Therefore, they do not meet the [contribution guidelines](https://github.com/privacytoolsIO/privacytools.io/blob/master/.github/CONTRIBUTING.md#software-criteria). The only routers that I believe meet these standards are these: [Minifree](https://minifree.org/product/minifree-wndr3800-libre-router/), and [ThinkPenguin](https://www.thinkpenguin.com/gnu-linux/free-software-wireless-n-mini-vpn-router-tpe-r1100).

ghost commented

2018-12-24 19:57:21 +00:00

(Migrated from github.com)

The operating system is open source https://github.com/CZ-NIC/turris-os

asddsaz commented

2018-12-24 19:59:10 +00:00

(Migrated from github.com)

@Shifterovich If I understand correctly, it is not free and you cannot swap it out for a different OS.

There is a Github issue on this: https://github.com/CZ-NIC/turris-os/issues/89

Either way, it should not meet the Quality over Quantity guidelines, considering free'd alternatives are available.

@Shifterovich If I understand correctly, it is not free and you cannot swap it out for a different OS. There is a Github issue on this: https://github.com/CZ-NIC/turris-os/issues/89 Either way, it should not meet the [Quality over Quantity](https://github.com/privacytoolsIO/privacytools.io/blob/master/.github/CONTRIBUTING.md#quality-over-quantity) guidelines, considering free'd alternatives are available.

ghost commented

2018-12-24 20:09:19 +00:00

(Migrated from github.com)

Both have proprietary blobs for 5GHz wifi card. If you pull that one out then it should contaion only non-proprietary software. In MOX there is one additional thing, there is a secure firmware that locks our crypto keys in CPU. This firmware is open-source but without our key nobody can build new version. It is only way how we can ensure security of private keys generated on device.

Hardware it self id not libre. Both CPU and switch chip do not have public datasheets and we don’t have right to releasing them. Unfortunately this is tradeoff between powerfull feature full device and libre hardware.
That also answers your third question.

Seems like it would be possible to make it fully open source, but yeah, we can just recommend openwrt instead.

> Both have proprietary blobs for 5GHz wifi card. **If you pull that one out then it should contaion only non-proprietary software**. In MOX there is one additional thing, there is a **secure firmware that locks our crypto keys in CPU**. This firmware is open-source but without our key nobody can build new version. It is only way how we can ensure security of private keys generated on device. > > Hardware it self id not libre. Both CPU and switch chip do not have public datasheets and we don’t have right to releasing them. Unfortunately this is tradeoff between powerfull feature full device and libre hardware. That also answers your third question. Seems like it would be possible to make it fully open source, but yeah, we can just recommend openwrt instead.

asddsaz commented

2018-12-24 20:10:57 +00:00

(Migrated from github.com)

@Shifterovich I would recommend LibreCMC. But, OpenWRT is better than nothing. :)

Make sure to look into PR #616

@Shifterovich I would recommend [LibreCMC](https://librecmc.org/). But, OpenWRT is better than nothing. :) Make sure to look into PR #616

ghost commented

2018-12-24 20:12:43 +00:00

(Migrated from github.com)

I don't use either, so sure, if LibreCMC is better, then we'll go with that. I just noticed that Turris OS is an openwrt fork.

ghost commented

2018-12-25 08:02:13 +00:00

(Migrated from github.com)

Just for clarification:

"Turris" is the first router made by CZ.NIC, coming with complete hardware documentation
"Turris Omnia" is the second router made by CZ.NIC that comes with the proprietary 5 GHz chip (therefore, we wrote "Most components are open hardware"), hardware documentation available here (scroll down to "Documents")
"Turris MOX" is the third router made by CZ.NIC, new upcoming modular router
"Turris OS" is the OpenWRT-based operating system with repos managed on GitLab

Either way, it should not meet the Quality over Quantity guidelines, considering free'd alternatives are available.

The above-mentioned guidelines only contain "Software Criteria" that are somewhat vague.

Just for clarification: - "Turris" is the first router made by CZ.NIC, coming with [complete hardware documentation](https://project.turris.cz/en/hardware-documentation) - "Turris Omnia" is the second router made by CZ.NIC that comes with the proprietary 5 GHz chip (therefore, we wrote "Most components are open hardware"), hardware documentation [available here (scroll down to "Documents")](https://doc.turris.cz/doc/en/start) - "Turris MOX" is the third router made by CZ.NIC, new upcoming modular router - "Turris OS" is the OpenWRT-based operating system with [repos managed on GitLab](https://gitlab.labs.nic.cz/public/projects?search=turris) >Either way, it should not meet the Quality over Quantity guidelines, considering free'd alternatives are available. The above-mentioned guidelines only contain "Software Criteria" that are somewhat vague.

ghost commented

2018-12-25 09:37:44 +00:00

(Migrated from github.com)

Thanks for clarifying the terms. @infosec-handbook are there any important features added by CZ.NIC to Turris OS compared to other router operating systems we recommend?

ghost commented

2018-12-26 07:54:26 +00:00

(Migrated from github.com)

@Shifterovich

Thanks for clarifying the terms. @infosec-handbook are there any important features added by CZ.NIC to Turris OS compared to other router operating systems we recommend?

"Important features" is more or less subjective.

Benefits are (subjectively perceived) secure defaults (compared with other routers, Turris OS comes with a more strict security configuration like password protection, DNSSEC support, automatic updates, …) and a UI that is easy-to-understand for non-technical people while people can still customize the OS by installing and configuring additional packages.

@Shifterovich > Thanks for clarifying the terms. @infosec-handbook are there any important features added by CZ.NIC to Turris OS compared to other router operating systems we recommend? "Important features" is more or less subjective. Benefits are (subjectively perceived) secure defaults (compared with other routers, Turris OS comes with a more strict security configuration like password protection, DNSSEC support, automatic updates, …) and a UI that is easy-to-understand for non-technical people while people can still customize the OS by installing and configuring additional packages.

zoonderkins commented

2018-12-27 05:47:28 +00:00

(Migrated from github.com)

I would suggest this 2

I would suggest this 2 1. [Opensense ](https://opnsense.org/) 2. [gl-inet](https://www.gl-inet.com/)

This repo is archived. You cannot comment on issues.