tweeksjunk2 at theweeks.org
Wed Jun 17 20:47:05 CDT 2009
On Tuesday 16 June 2009 10:39:00 pm Bruce Dubbs wrote:
> I am interested in experiences that SATLuggers have had with home routers.
> What I have been using is an old PC with two Ethernet cards running
> iptables. This functions fine but is a bit noisy and uses too much space.
I see an almost unanimous vote for the Linksys WRT54g's.. which I too have at
my house. Just not on the outer edge of my network.
I have some long trusted precepts about security. One of my big security
beliefs is that "Off the Shelf Security is an oxymoron". After all, if
someone scans your edge router and can ID it as a well known firewall device
or OTS system.. then their target has been identified, known, and can be
studies and dissected. Now.. depending on what they can identify will
indicate the best attack vector to get in.
That being said.. reflashing such a device (as we've all discussed) with an
alternate WRIT distro is a good first step to get away from that OTS mode of
operation. I too run a WRT54G on ddwrt (further in on my network).
While I know that you can do a lot with WRT54Gs (adding a SD card interface,
applications, serial console, etc...) for MY edge device, I run a cheap,
underclocked 500MHz AMD K6 (CPU fan removed) with three NICs (Int, Ext, and
DMZ), an internal switch, and a CD-ROM. This functions as both my router,
firewall, caching DNS server, and DHCP server, all running under the Devil
Linux (http://www.devil-linux.org/) live firewall CD distro.
The whole distro boots from CD-ROM (read only obviously).. and the configs are
all stored on write protected USB flash drive. Devil Linux and it is very
configurable, has a ton of preconfigured daemons you can run (if you're ok
with running daemons on a edge/firewall device), and in my near-zero moving
parts config, generally runs years without reboots (never actually rebooted
it.. just powered back up when the UPS fails or runs out).
I like this config because it's rock solid (physically/thermally), it
definitely NOT "OTS", and is VERY secure -- in that even if someone WERE
able to compromise the config.. a quick power cycle clears any traces of an
intruder.. and can be immediately rebooted, and a "system upgrade" consists
of ejecting the old version, inserting the new version and rebooting (reading
the configs off flash).
Anyway.. if anyone's interested.. I've done multiple presentations on doing
your own Devil Linux based system. See here:
(based on Chapter 7 of "Linux Toys II" that I wrote for)
I like that the Devil Linux doesn't abstract me from the actual security of
the device role (plus you're almost guaranteed to learn some cool stuff).
While you can use DLs cool little ncurses menu to select a default 2-NIC and
3-NIC configuration.. DL encourages you to dig into the firewall config file
(very well documented bash start script) and by doing so, really understand
and control the innards of exactly what your security is comprised of.. step
by step and port by port.
In other point-n-click firewall systems.. you don't so much KNOW the inner
workings of your security device as much as you just trust that someone else
has properly set it all up and secured the back end for you (and that their
intentions are pure). With DL, your security really is in your control.
While DDWRT CAN allow you to do this.. the GUI attracts the lazy, less secure
side in us all.. ;)
Which leads to my second belief about security... you can't effectively trust
a system that someone else has built for you. Or if you do choose to do so,
there are specific certainties that you surrender in the process.
I'm not saying that everyone should build their own router/firewall from
scratch.. (or use "Linux from Scratch" as I'm sure you're inclined Dr.
Bruce ;).. but I DO encourage people to THINK about these issues and what
they represent in the real of actual security.
All this being said.. the WRT54G IS a great little unit if re-flashed with
something like DDWRT (http://www.dd-wrt.com/) or Tomato
(http://www.polarcloud.com/tomato)... and I WOULD probably trust it as a
network edge device in a home, or other unclassified environment.. However I
wouldn't trust it for serving reliable DHCP service in my home, much less in
a production environment. Even with DDWRT in place.. I've seen the DHCP
daemon (on that platform) lock up or stop issuing IPs in a number of
different environments. So if you are going to use it as your edge device, I
would at least run DHCPd on another HA server inside your network.
Okay.. I've blathered on too much..
More information about the SATLUG