💬 Discussion | Network Security - Open Sourced Routers & Firewalls #680
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#680
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Idea originated from PR #675
Currently, the only network security related section we have only speaks about routers, but as we all know, firewalls, both inside the router and in the actual device play a crucial role in the protection of outside intruders and especially those within our networks. So the idea would be to create a joint category that also spoke about network security software, such as firewalls, for end-user devices.
In my mind, it'd look something like
Network Security
OpenWRT, etc
Firewalls, ?
Which software should be added? Which ones should be the category staples, which ones worth mentioning, you know the drill.
In the PR, @asddsaz has already mentioned 3 pieces of software, Firejail, Gufw and Flatpak
Firejail is for sandboxing not necessarily a network firewall.
Flatpak is a distribution method with built in easy-to-use sandboxing. None the less, they can significantly improve security.
Some articles on Firejail:
https://www.makeuseof.com/tag/firejail-simple-way-improve-security-linux/
https://ownyourbits.com/2017/10/29/sandbox-your-applications-with-firejail/
We recommend the Czech Turris Omnia router for home users: https://omnia.turris.cz/en/
We wrote several articles about it: https://infosec-handbook.eu/as-hns/
Yeah Turris Omnia is a very interesting project. I really like the Czech NIC.
Are you sure is it for home users? I checked price and it is expensive for a home user.
Firewall: pfSense
The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?
I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.
Note that the operating system of the Turris is open source.
@hasanalizxc IPFIRE for example is another good one
@beerisgood Bookmarked.
Yes, it is for home users, and yes, for some home users it may be expensive. However, there is no universal definition for "expensive". Let the user decide if he or she wants to buy it.
Besides, all software (e.g. OpenWrt, pfSense, Endian Firewall, IPFire, OPNsense) needs hardware to run it.
Let the user decide OK but this is not exactly for home users. Can be partly %50.
I believe the router idea, even though a bit hard to swallow by home users, especially those that are new to this neck of the woods, would be a good inclusion to #616. Regarding network security, I'll whip up something with the two current distinctions and we'll move on from there.
I don't think on-device firewalls are worth discussing, all operating systems that I've come across come with secure-by-default firewall settings.
Things worth discussing IMO:
There are some security remarks to be made against the OpenWrt Transparent Tor implementation. The Tor Browser remains the best solution (Control port, additional fingerprint hardening, general browser security, ..).
On the topic of routers, I think it's also worth noting the maximum transmission speed (10 Gbps?).
Turris is not open-source and has no plans to change this.
Source: https://forum.turris.cz/t/is-turris-applying-for-ryf-certification/8602
Therefore, they do not meet the contribution guidelines.
The only routers that I believe meet these standards are these: Minifree, and ThinkPenguin.
The operating system is open source https://github.com/CZ-NIC/turris-os
@Shifterovich If I understand correctly, it is not free and you cannot swap it out for a different OS.
There is a Github issue on this: https://github.com/CZ-NIC/turris-os/issues/89
Either way, it should not meet the Quality over Quantity guidelines, considering free'd alternatives are available.
Seems like it would be possible to make it fully open source, but yeah, we can just recommend openwrt instead.
@Shifterovich I would recommend LibreCMC. But, OpenWRT is better than nothing. :)
Make sure to look into PR #616
I don't use either, so sure, if LibreCMC is better, then we'll go with that. I just noticed that Turris OS is an openwrt fork.
Just for clarification:
The above-mentioned guidelines only contain "Software Criteria" that are somewhat vague.
Thanks for clarifying the terms. @infosec-handbook are there any important features added by CZ.NIC to Turris OS compared to other router operating systems we recommend?
@Shifterovich
"Important features" is more or less subjective.
Benefits are (subjectively perceived) secure defaults (compared with other routers, Turris OS comes with a more strict security configuration like password protection, DNSSEC support, automatic updates, …) and a UI that is easy-to-understand for non-technical people while people can still customize the OS by installing and configuring additional packages.
I would suggest this 2