Secure Networker

Hundreds of Internet routers inhabit the IT consumer marketplace. However, the little boxes that connect our home or work offices to the Internet are continually causing a stir. At the end of November 2016, 900,000 customers of a German telecom company were cut off from the Internet for hours – and even for days – because the Speedport router supplied by the company fell victim to a denial of service attack.

Strangely enough, the attack was not even intended for the routers. Instead, the attackers wanted to penetrate the vulnerable remote maintenance interface of a completely different device type. In order to exploit an existing vulnerability of the targeted routers, and thus integrate them into a botnet, the attackers indiscriminately flooded the Internet with port-knocking packets to open a communication channel to the affected systems.

An investigation revealed that the company had left port 7547/TCP wide open on the devices; customers had warned the company as early as 2014 of this potential and completely unnecessary vulnerability, but for whatever reason, many devices were still vulnerable.

The reward for this incredible sloppiness was the attack: The many incoming request packets to the remote interface maintenance that had needlessly been left open were unable to open the affected port and certainly unable to infect the basically immune systems. But the sheer mass of the packets caused the routers so much confusion that they entirely quit working.

This kind of negligence is, unfortunately, all too common with network device providers: Unneeded ports are left open, default passwords are active for far too long, and vulnerable system software remains unpatched. Users often don't even receive a warning, or if they do – as they did with the German telecom – they often ignore potential security problems until the disaster hits home.

As several studies have revealed, many home routers are incredibly insecure, with out-of-date firmware, open ports, and unpatched operating systems. Most business networks have an IT professional – or sometimes a whole team of professionals – overseeing the security system and interpreting event logs to look for signs of intrusion. On home networks, the only "admin" is the router owner, who is typically an amateur with neither the time nor the inclination to become an expert in the home router appliance.

The need for better security, and for ongoing monitoring of home router traffic to look for possible attacks, has led to an innovative program sponsored by CZ.NIC, the non-profit company that manages the Czech Republic's top-level domain. CZ.NIC designed its own router for users on its network. The Turris Omnia router [1], which was financed through a crowd-funding campaign, incorporates some best practices missing from many router designs and is intended to be very secure.

One of the more interesting features of the Turris Omnia is that it can collect data on incoming traffic to look for signs of an attack in progress. The data is forwarded back to CZ.NIC and can be used to warn other users and, ideally, develop a remedy for the attack.

The Turris Omnia, which uses open source software and open hardware wherever possible, is a good example of a real-world device built to harness the power of the OpenWrt Linux project [2] for residential gateways and other embedded devices. The Omnia is available now in Europe. FCC approval for use in the US is still pending (see the interview with head developer Bedrich Kosata at the end of this article). We decided to investigate the Turris Omnia because it seemed like an interesting approach for how to address the persistent problem of home router security.

High Tech in Plain Wrappings

The Turris Omnia router comes in two variants that only differ in terms of memory. Just EUR289 (a little over $300) will buy you the router with 1GB of RAM, and EUR329 (around $350) gets you twice the capacity. The Turris Omnia impresses with powerful hardware under the hood. A two-core 1.6GHz ARM CPU is at the heart of the machine, with 8GB of permanent SSD storage.

Thanks to the three mini-PCI Express slots, of which one supports the SATA protocol, hard disk storage can be extended with SSD blades. On delivery, two of the three slots are occupied with WiFi 802.11b/g/n and ac modules (Figure 1). You can also use the LTE modem or other WiFi modules in addition to the storage media. The router is prepared for use with cellular modules and features a SIM card slot on the motherboard.

Figure 1: High-performance hardware with a simple look: Turris Omnia is equipped with three mini-PCI Express interfaces, plenty of RAM, a fast ARM processor, and 8GB of non-volatile storage. (Source: CZ.NIC)

The entire hardware of the Turris Omnia is fully supported by the current Linux kernel. With one exception, free drivers and documentation are available for all components; only the WiFi interface requires a binary from the manufacturer.

Visually the Turris Omnia is quite unobtrusive. The technology is encased in the kind of unadorned metal housing typical of (semi-)professional network technology. The 12 LEDs on the front deliver information on the current status; you can control the brightness and even color by using a switch on the right side. In addition to the LEDs, the unit has two ready-for-use USB 3.0 ports on the left front.

The back of the router is dominated by three WiFi antennas, which can easily be replaced depending on how you plan to use the device. When you look at the connections, the SFP port is quite a surprise: It can house various networking modules and is rarely found in devices in this price range (see the box titled "SFP").

You can use the SFP interface (Figure 2) to integrate the router with the LAN or on the Internet with a high-end network medium such as glass fiber. Alternatively, the port will accommodate a modem for VDSL or other connection technologies. If you are already using a broadband modem, you can connect it with the Turris Omnia via the GbE-capable WAN interface and a network cable. Five Gigabit network sockets and a second USB 3.0 port complete the range of interfaces.

Figure 2: Exotic specimen on the router market: The Turris Omnia offers five Ethernet interfaces, as well as one Gigabit Ethernet interface, WiFi, and an SFP port. (Source: CZ.NIC)

Open in the Positive Sense

The software of the system is based on the OpenWrt router's open source operating system; the hardware is almost completely documented and described. This open policy regarding information on the device means a user with sufficient skill could check the source code or even build a completely new router.

Even if you do not want to go that far, you could still expand and rebuild the installed system or replace the software with a different distribution.

The built-in distributed firewall is one of the outstanding and unique features of the router. The firewall is designed to protect the user against zero-day exploits. CZ.NIC wants to detect and analyze these attacks and evolve counter-strategies from the findings as soon as possible, transmitting the necessary fix directly to the consumer equipment.

To monitor the network for a possible attack, the manufacturer collects the data traffic between the client and the Internet. Turris Development Director Bedrich Kosata explains: "The fact that we are familiar with the traffic of many customers, who are anonymous for us, means that we have a large database; this large collection of data will ultimately benefit customers." CZ.NIC analyzes the data for unusual patterns. In case of conspicuous or even suspicious behavior in the traffic, it warns customers. In its delivered state, the firewall is disabled; the customer first needs to enable it. That is, CZ.NIC lets the users decide, said Kosata, whether they want to have their data traffic analyzed. CZ.NIC only uses the acquired data for traffic analysis, and this information is subject to very strict rules on data protection.

The auto-update feature is one of the additional security measures. During setup, the router asks whether you want to use the function. If you prefer mature software, you can do without the auto-updater. In view of recent IT security incidents, however, you are better off installing updates as soon as they are available.

Another indicator of the Turris Omnia's sophisticated security is that no Internet-facing ports are open in the factory defaults. Functions such as UPnP are disabled; you need to enable WiFi only during the initial setup, and you need to set all the access credentials yourself during guided commissioning.

Simple or Complex?

Installing the Turris Omnia is quick and easy. First, connect the device to the power supply and then connect the WAN port to a modem using a cable. Use a network cable to connect one of your own computers to one of the five Ethernet ports on the router for the initial setup. Then, call the router's web interface on the computer to access the homepage of a simple, but quite effectively designed, installation dialog. The installer guides you through the start-up in 10 steps.

You'll create the necessary access credentials and enable the well-secured WiFi network, among other things. The whole device is up and running within a few minutes. If the software needs to download many updates, this can take a little longer, depending on the bandwidth of your Internet connection. You can then access the simple web interface of Turris Omnia, where you can perform rudimentary settings. Although these are sufficient for general operation, they omit important functions, such as network-attached storage (NAS). All the options are described well.

Things look quite different in the advanced section: Regardless of the visually appealing design and good structure, the options offered here require in-depth expertise. The interface offers you the possibility to influence virtually every aspect of the router and the software – far beyond what even a demanding home user or small office will need (Figure 3).

Figure 3: Knowledge needed: The advanced Turris Omnia web interface requires in-depth Linux expertise on the part of the user, as shown here for sharing network drives.