An open source router built for security
Light and Shadow
During a test in an inner-city office in Berlin, we regularly reached wireless data rates with the Turris Omnia of over 800Mbps. This rate corresponds almost exactly to the maximum possible gross data rate of 1.3Gbps, which theoretically allows 802.11ac. No other 802.11ac router we put into operation for comparison achieved higher data throughput. The router is therefore in the absolute top group in terms of wireless performance.
The Turris Omnia also has its downsides, including its price/performance ratio. At a purchase price of EUR289/329, the router is in the upper mid-price range, although it lacks interfaces for analog or ISDN phones. You can, however, retrofit telephony features if you have some background knowledge.
Conclusions
The Turris Omnia is an excellent piece of hardware. Both the workmanship and the underlying, open concept offer no leeway for criticism. However, this does make the missing telephony features all the more apparent. The update function makes a good impression, and given the organization behind the Turris Omnia project, users can expect long-term support. The distributed firewall will need to demonstrate its capabilities in a long-term test.
If you do not feel comfortable with the thought of a third party analyzing your data, you do not need to activate this option and can simply rely on the built-in firewall. The firewall supports highly granular configuration, given appropriate knowledge. However, the Turris Omnia would benefit from a clearer and more user-friendly configuration interface for non-Linux experts.
Interview: Turris Omnia Development Head Bedrich Kosata
The Turris Omnia is not the first hardware project by the CZ.NIC. We caught up with Bedrich Kosata, Head of Development for the Turris Omnia, at the OpenWrt summit in Berlin, Germany, and asked about the objectives for development of this ultra-secure router.
Linux Magazine: The domain registrar, CZ.NIC manages the top-level domain in the Czech Republic. What prompted the company to also develop network equipment for end users?
Bedrich Kosata: We are a non-profit company and seek to use profits from the CZ domain for the good of the public. This is why we focus on open source and IT security. So we figured that it would be instructive to see what kind of traffic flows between the Internet and home networks – who attempts access to home networks and in what way. The idea evolved into the Turris project: We gave the people special routers, just to monitor this traffic and to see whether we could identify anomalies, malicious software, or the like.
LM: When was the Turris project founded?
BK: We had the idea of the end of 2012, and we started the project in 2013. Initially, we did not want to make our own hardware, but we failed to find any products that met our standards. We thus had to develop the hardware itself from scratch willing or not. In 2014, we delivered the first two router models free of charge, in exchange for data from users. Anyone who wanted to take part just had to sign a contract for three years. In return, we maintained the boxes and provided updates but also collected data for analysis.
LM: Now the Turris Omnia is ready – the third router by CZ.NIC and the first financed by crowd funding. How did you manage to make the device completely open source?
BK: We open-sourced all the chips so that the mainline kernel would support them; all the drivers were required to be open source. The only exception is the WiFi driver: You will not find a completely free driver; there is always binary firmware that is not disclosed.
LM: What makes this router secure?
BK: It all starts with the basic setup. It is well known that default passwords are some the biggest security problems on the Internet. That's why we force the user to define their own, sufficiently strong passwords during the setup. This makes our router secure from the outset, in addition to regular updates and advanced features such as the distributed firewall.
LM: The distributed firewall – what is that exactly?
BK: The firewall collects data from various sources – the routers themselves, but also from our company or externally from the Internet. From this we create an IP graylist and watch the conspicuous addresses in particular. If a router connects to one these addresses and we discover suspicious or malicious activity, we warn our users.
LM: This is not something that everyone will want – isn't this an invasion of privacy?
BK: By default, the distributed firewall is not active; the user has to enable it explicitly. We are not interested in the private data but only in the local firewall logs: This information lets us see who is attempting to log onto the router from the outside, and which services are especially subject to attack. To discover what is happening on their own routers, users can use a special portal that also shows the volumes of data exchanged between the router and the Internet.
We collect only the information that we really need, in particular metadata – who is talking to whom. We are not interested in the content at all. Our analysts see only anonymized data sets; also, we destroy all the individual data after ten days and then only keep the aggregated traffic data. This is also part of our privacy policy, which the user has to agree with.
LM: Are there more security measures in addition to the distributed firewall and local hardening of the router?
BK: We have also set up honeypots in the form of virtual routers and servers to determine how attackers attempt to intrude. In the case of Telnet access, we only present a login where the attacker can continually enter their username and password, until it gets on their nerves and they give up. But this provides us with interesting data about botnets in particular. The SSH honeypot shows the attacker a system that they can supposedly infiltrate. We thus learn what kind of malware the attackers are trying to install can analyze the results. The honeypot is isolated from the user routers so that real routers will not be compromised.
LM: For some time, open source routers have had a problem with official approval: The US FCC, in particular, but also the EU, require some kind of lockdown of the wireless interface. How do you handle this?
BK: That is a real problem. We are in the process of pursuing FCC approval, which is seriously slowing us down. We want to make the router as open as possible, and now we need to lock down part of the hardware. Currently, we are collaborating with the manufacturer of the WiFi cards to find a good solution for all parties. Ultimately, we will probably need to offer a separate version with a lockdown for the US market in order to achieve FCC certification.
Infos
- Turris Omnia: https://omnia.turris.cz/en/
- OpenWrt: https://openwrt.org
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.