[SATLUG] Routers

Tweeks tweeksjunk2 at theweeks.org
Wed Jun 17 20:47:05 CDT 2009


On Tuesday 16 June 2009 10:39:00 pm Bruce Dubbs wrote:
> I am interested in experiences that SATLuggers have had with home routers. 
> What I have been using is an old PC with two Ethernet cards running
> iptables.  This functions fine but is a bit noisy and uses too much space.

I see an almost unanimous vote for the Linksys WRT54g's.. which I too have at 
my house.  Just not on the outer edge of my network.

I have some long trusted precepts about security.  One of my big security 
beliefs is that "Off the Shelf Security is an oxymoron".  After all, if 
someone scans your edge router and can ID it as a well known firewall device 
or OTS system.. then their target has been identified, known, and can be 
studies and dissected.  Now.. depending on what they can identify will 
indicate the best attack vector to get in.

That being said.. reflashing such a device (as we've all discussed) with an 
alternate WRIT distro is a good first step to get away from that OTS mode of 
operation.  I too run a WRT54G on ddwrt (further in on my network).

While I know that you can do a lot with WRT54Gs (adding a SD card interface, 
applications, serial console, etc...) for MY edge device, I run a cheap, 
underclocked 500MHz AMD K6 (CPU fan removed) with three NICs (Int, Ext, and 
DMZ), an internal switch, and a CD-ROM. This functions as both my router, 
firewall, caching DNS server, and DHCP server, all running under the Devil 
Linux (http://www.devil-linux.org/) live firewall CD distro.

The whole distro boots from CD-ROM (read only obviously).. and the configs are 
all stored on write protected USB flash drive.  Devil Linux and it is very 
configurable, has a ton of preconfigured daemons you can run (if you're ok 
with running daemons on a edge/firewall device), and in my near-zero moving 
parts config, generally runs years without reboots (never actually rebooted 
it.. just powered back up when the UPS fails or runs out).

I like this config because it's rock solid (physically/thermally), it 
definitely NOT "OTS",  and is VERY secure -- in that even if someone WERE 
able to compromise the config.. a quick power cycle clears any traces of an 
intruder.. and can be immediately rebooted, and a "system upgrade" consists 
of ejecting the old version, inserting the new version and rebooting (reading 
the configs off flash).

Anyway.. if anyone's interested.. I've done multiple presentations on doing 
your own Devil Linux based system.  See here:
	http://xcssa.org/files/XCSSA-SOHO-Firewall-DMZ-Web/img0.html
	(based on Chapter 7 of "Linux Toys II" that I wrote for)

I like that the Devil Linux doesn't abstract me from the actual security of 
the device role (plus you're almost guaranteed to learn some cool stuff).  
While you can use DLs cool little ncurses menu to select a default 2-NIC and 
3-NIC configuration.. DL encourages you to dig into the firewall config file 
(very well documented bash start script) and by doing so, really understand 
and control the innards of exactly what your security is comprised of.. step 
by step and port by port.

In other point-n-click firewall systems.. you don't so much KNOW the inner 
workings of your security device as much as you just trust that someone else 
has properly set it all up and secured the back end for you (and that their 
intentions are pure).  With DL, your security really is in your control.  
While DDWRT CAN allow you to do this.. the GUI attracts the lazy, less secure 
side in us all.. ;)

Which leads to my second belief about security... you can't effectively trust 
a system that someone else has built for you.  Or if you do choose to do so, 
there are specific certainties that you surrender in the process.

I'm not saying that everyone should build their own router/firewall from 
scratch.. (or use "Linux from Scratch" as I'm sure you're inclined Dr. 
Bruce ;).. but I DO encourage people to THINK about these issues and what 
they represent in the real of actual security.

All this being said.. the WRT54G IS a great little unit if re-flashed with 
something like DDWRT (http://www.dd-wrt.com/) or Tomato 
(http://www.polarcloud.com/tomato)... and I WOULD probably trust it as a 
network edge device in a home, or other unclassified environment.. However I 
wouldn't trust it for serving reliable DHCP service in my home, much less in 
a production environment.  Even with DDWRT in place.. I've seen the DHCP 
daemon (on that platform) lock up or stop issuing IPs in a number of 
different environments.  So if you are going to use it as your edge device, I 
would at least run DHCPd on another HA server inside your network.

Okay.. I've blathered on too much.. 

Tweeks



More information about the SATLUG mailing list