💬 Discussion | Network Security - Open Sourced Routers & Firewalls

[hugoncosta]

Idea originated from PR #675 Currently, the only network security related section we have only speaks about routers, but as we all know, firewalls, both inside the router and in the actual device play a crucial role in the protection of outside intruders and especially those within our networks. So the idea would be to create a joint category that also spoke about network security software, such as firewalls, for end-user devices.

In my mind, it'd look something like Network Security

• Routers OpenWRT, etc
• Software Firewalls, ?

Which software should be added? Which ones should be the category staples, which ones worth mentioning, you know the drill.

In the PR, @asddsaz has already mentioned 3 pieces of software, Firejail, Gufw and Flatpak

[asddsaz]

Firejail is for sandboxing not necessarily a network firewall. Flatpak is a distribution method with built in easy-to-use sandboxing. None the less, they can significantly improve security.

Some articles on Firejail: https://www.makeuseof.com/tag/firejail-simple-way-improve-security-linux/ https://ownyourbits.com/2017/10/29/sandbox-your-applications-with-firejail/

[ghost]

We recommend the Czech Turris Omnia router for home users: https://omnia.turris.cz/en/

• Most components are open hardware
• It runs customized OpenWrt and open source software only
• You can add your own hardware components and customize the software setup
• At the same time, it comes with an easy-to-understand web interface for non-technical people

We wrote several articles about it: https://infosec-handbook.eu/as-hns/

[ghost]

Yeah Turris Omnia is a very interesting project. I really like the Czech NIC.

[hasanalizxc]

Are you sure is it for home users? I checked price and it is expensive for a home user.

Firewall: pfSense

[ghost]

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

[hasanalizxc]

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.

[ghost]

Note that the operating system of the Turris is open source.

[beerisgood]

@hasanalizxc IPFIRE for example is another good one

[hasanalizxc]

@beerisgood Bookmarked.

[ghost]

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.

Yes, it is for home users, and yes, for some home users it may be expensive. However, there is no universal definition for "expensive". Let the user decide if he or she wants to buy it.

Besides, all software (e.g. OpenWrt, pfSense, Endian Firewall, IPFire, OPNsense) needs hardware to run it.

[hasanalizxc]

The device is very expensive. Though maybe the open source OS is easier to use than OpenWrt?

I think so. It is very expensive for a home user. Using pfSense or another open source OS is better.

Yes, it is for home users, and yes, for some home users it may be expensive. However, there is no universal definition for "expensive". Let the user decide if he or she wants to buy it.

Besides, all software (e.g. OpenWrt, pfSense, Endian Firewall, IPFire, OPNsense) needs hardware to run it.

Let the user decide OK but this is not exactly for home users. Can be partly %50.

[hugoncosta]

I believe the router idea, even though a bit hard to swallow by home users, especially those that are new to this neck of the woods, would be a good inclusion to #616. Regarding network security, I'll whip up something with the two current distinctions and we'll move on from there.

[kewde]

I don't think on-device firewalls are worth discussing, all operating systems that I've come across come with secure-by-default firewall settings.

Things worth discussing IMO:

• Router firmware (builtin Tor, VPN?) and their hardware
• IPS
• IDS
• Honeypots

There are some security remarks to be made against the OpenWrt Transparent Tor implementation. The Tor Browser remains the best solution (Control port, additional fingerprint hardening, general browser security, ..). On the topic of routers, I think it's also worth noting the maximum transmission speed (10 Gbps?).

[asddsaz]

We recommend the Czech Turris Omnia router for home users: https://omnia.turris.cz/en/

* Most components are open hardware

* It runs customized OpenWrt and open source software only

* You can add your own hardware components and customize the software setup

* At the same time, it comes with an easy-to-understand web interface for non-technical people

We wrote several articles about it: https://infosec-handbook.eu/as-hns/

Turris is not open-source and has no plans to change this. Source: https://forum.turris.cz/t/is-turris-applying-for-ryf-certification/8602 Therefore, they do not meet the contribution guidelines.

The only routers that I believe meet these standards are these: Minifree, and ThinkPenguin.

[ghost]

The operating system is open source https://github.com/CZ-NIC/turris-os

[asddsaz]

@Shifterovich If I understand correctly, it is not free and you cannot swap it out for a different OS.

There is a Github issue on this: https://github.com/CZ-NIC/turris-os/issues/89

Either way, it should not meet the Quality over Quantity guidelines, considering free'd alternatives are available.

[ghost]

Both have proprietary blobs for 5GHz wifi card. If you pull that one out then it should contaion only non-proprietary software. In MOX there is one additional thing, there is a secure firmware that locks our crypto keys in CPU. This firmware is open-source but without our key nobody can build new version. It is only way how we can ensure security of private keys generated on device.

Hardware it self id not libre. Both CPU and switch chip do not have public datasheets and we don’t have right to releasing them. Unfortunately this is tradeoff between powerfull feature full device and libre hardware. That also answers your third question.

Seems like it would be possible to make it fully open source, but yeah, we can just recommend openwrt instead.

[asddsaz]

@Shifterovich I would recommend LibreCMC. But, OpenWRT is better than nothing. :)

Make sure to look into PR #616

[ghost]

I don't use either, so sure, if LibreCMC is better, then we'll go with that. I just noticed that Turris OS is an openwrt fork.

[ghost]

Just for clarification:

• "Turris" is the first router made by CZ.NIC, coming with complete hardware documentation
• "Turris Omnia" is the second router made by CZ.NIC that comes with the proprietary 5 GHz chip (therefore, we wrote "Most components are open hardware"), hardware documentation available here (scroll down to "Documents")
• "Turris MOX" is the third router made by CZ.NIC, new upcoming modular router
• "Turris OS" is the OpenWRT-based operating system with repos managed on GitLab

Either way, it should not meet the Quality over Quantity guidelines, considering free'd alternatives are available.

The above-mentioned guidelines only contain "Software Criteria" that are somewhat vague.

[ghost]

Thanks for clarifying the terms. @infosec-handbook are there any important features added by CZ.NIC to Turris OS compared to other router operating systems we recommend?

[ghost]

@Shifterovich

Thanks for clarifying the terms. @infosec-handbook are there any important features added by CZ.NIC to Turris OS compared to other router operating systems we recommend?

"Important features" is more or less subjective.

Benefits are (subjectively perceived) secure defaults (compared with other routers, Turris OS comes with a more strict security configuration like password protection, DNSSEC support, automatic updates, …) and a UI that is easy-to-understand for non-technical people while people can still customize the OS by installing and configuring additional packages.

[zoonderkins]

I would suggest this 2

1. Opensense
2. gl-inet