An open source router built for security

Light and Shadow

During a test in an inner-city office in Berlin, we regularly reached wireless data rates with the Turris Omnia of over 800Mbps. This rate corresponds almost exactly to the maximum possible gross data rate of 1.3Gbps, which theoretically allows 802.11ac. No other 802.11ac router we put into operation for comparison achieved higher data throughput. The router is therefore in the absolute top group in terms of wireless performance.

The Turris Omnia also has its downsides, including its price/performance ratio. At a purchase price of EUR289/329, the router is in the upper mid-price range, although it lacks interfaces for analog or ISDN phones. You can, however, retrofit telephony features if you have some background knowledge.

Conclusions

The Turris Omnia is an excellent piece of hardware. Both the workmanship and the underlying, open concept offer no leeway for criticism. However, this does make the missing telephony features all the more apparent. The update function makes a good impression, and given the organization behind the Turris Omnia project, users can expect long-term support. The distributed firewall will need to demonstrate its capabilities in a long-term test.

If you do not feel comfortable with the thought of a third party analyzing your data, you do not need to activate this option and can simply rely on the built-in firewall. The firewall supports highly granular configuration, given appropriate knowledge. However, the Turris Omnia would benefit from a clearer and more user-friendly configuration interface for non-Linux experts.

Interview: Turris Omnia Development Head Bedrich Kosata

The Turris Omnia is not the first hardware project by the CZ.NIC. We caught up with Bedrich Kosata, Head of Development for the Turris Omnia, at the OpenWrt summit in Berlin, Germany, and asked about the objectives for development of this ultra-secure router.

Linux Magazine: The domain registrar, CZ.NIC manages the top-level domain in the Czech Republic. What prompted the company to also develop network equipment for end users?

Bedrich Kosata: We are a non-profit company and seek to use profits from the CZ domain for the good of the public. This is why we focus on open source and IT security. So we figured that it would be instructive to see what kind of traffic flows between the Internet and home networks – who attempts access to home networks and in what way. The idea evolved into the Turris project: We gave the people special routers, just to monitor this traffic and to see whether we could identify anomalies, malicious software, or the like.

LM: When was the Turris project founded?

BK: We had the idea of the end of 2012, and we started the project in 2013. Initially, we did not want to make our own hardware, but we failed to find any products that met our standards. We thus had to develop the hardware itself from scratch willing or not. In 2014, we delivered the first two router models free of charge, in exchange for data from users. Anyone who wanted to take part just had to sign a contract for three years. In return, we maintained the boxes and provided updates but also collected data for analysis.

LM: Now the Turris Omnia is ready – the third router by CZ.NIC and the first financed by crowd funding. How did you manage to make the device completely open source?

BK: We open-sourced all the chips so that the mainline kernel would support them; all the drivers were required to be open source. The only exception is the WiFi driver: You will not find a completely free driver; there is always binary firmware that is not disclosed.

LM: What makes this router secure?

BK: It all starts with the basic setup. It is well known that default passwords are some the biggest security problems on the Internet. That's why we force the user to define their own, sufficiently strong passwords during the setup. This makes our router secure from the outset, in addition to regular updates and advanced features such as the distributed firewall.

LM: The distributed firewall – what is that exactly?

BK: The firewall collects data from various sources – the routers themselves, but also from our company or externally from the Internet. From this we create an IP graylist and watch the conspicuous addresses in particular. If a router connects to one these addresses and we discover suspicious or malicious activity, we warn our users.

LM: This is not something that everyone will want – isn't this an invasion of privacy?

BK: By default, the distributed firewall is not active; the user has to enable it explicitly. We are not interested in the private data but only in the local firewall logs: This information lets us see who is attempting to log onto the router from the outside, and which services are especially subject to attack. To discover what is happening on their own routers, users can use a special portal that also shows the volumes of data exchanged between the router and the Internet.

We collect only the information that we really need, in particular metadata – who is talking to whom. We are not interested in the content at all. Our analysts see only anonymized data sets; also, we destroy all the individual data after ten days and then only keep the aggregated traffic data. This is also part of our privacy policy, which the user has to agree with.

LM: Are there more security measures in addition to the distributed firewall and local hardening of the router?

BK: We have also set up honeypots in the form of virtual routers and servers to determine how attackers attempt to intrude. In the case of Telnet access, we only present a login where the attacker can continually enter their username and password, until it gets on their nerves and they give up. But this provides us with interesting data about botnets in particular. The SSH honeypot shows the attacker a system that they can supposedly infiltrate. We thus learn what kind of malware the attackers are trying to install can analyze the results. The honeypot is isolated from the user routers so that real routers will not be compromised.

LM: For some time, open source routers have had a problem with official approval: The US FCC, in particular, but also the EU, require some kind of lockdown of the wireless interface. How do you handle this?

BK: That is a real problem. We are in the process of pursuing FCC approval, which is seriously slowing us down. We want to make the router as open as possible, and now we need to lock down part of the hardware. Currently, we are collaborating with the manufacturer of the WiFi cards to find a good solution for all parties. Ultimately, we will probably need to offer a separate version with a lockdown for the US market in order to achieve FCC certification.

Infos

  1. Turris Omnia: https://omnia.turris.cz/en/
  2. OpenWrt: https://openwrt.org

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security and SOHO Routers

    Home and small office networks typically place their security in the hands of an inexpensive device that serves as a router, DHCP server, firewall, and wireless hotspot. How secure are these SOHO router devices? We're glad you asked …

  • Psyb0t Attacks Linux Routers (Update)

    A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.

  • Gaping Hole in DD-WRT: Router Software with Back Door

    The free router software DD-WRT opens in its version 24(SP1) a huge door due to a vulnerability in its HTTP daemon server.

  • Wireless LAN Security

    WLANs give you Internet access without a bird's nest of wiring. But if you don't take security seriously, you might find yourself with uninvited guests.

  • Repurposed Router Projects

    If you have an old router lying around, you can put it to good use with a few easy projects and learn something along the way.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News