Submitted via IRC for TheMightyBuzzard
Router hardware has evolved and improved over the years, but its firmware remains stuck in the dark ages when it comes to security, network traffic visibility and control. Recognizing the inherent limitations in popular commercial routers, Untangle set about making a radical new OS for home routers based on its popular, broadly installed and easy-to-use NG Firewall product.
Untangle's NG Firewall will be available to flash onto various router models, beginning with the Asus AC3100 RT AC88U.
"The open source community has known for a long time what router manufacturers are loathe to admit: router firmware is lacking," said Dirk Morris, founder and chief product officer at Untangle. "Projects like DD-WRT have gained traction because of the limitations of the operating systems developed by hardware manufacturers. Firmware has failed to provide adequate security to the modern home, let alone network traffic visibility and shaping. Untangle handles these issues and more."
The biggest challenge facing home networks isn't necessarily even security: it's the lack of visibility into and control over the traffic. Unlike commercial firmware on today's home Wi-Fi routers, Untangle NG Firewall logs traffic for rich, robust reporting into every facet of what's happening online: sites the kids are visiting, neighbors jumping on the wireless network, and the newest IP-enabled gadget phoning home.
Source: https://www.helpnetsecurity.com/2016/08/05/new-home-router-os/
(Score: 1, Funny) by Anonymous Coward on Sunday August 07 2016, @06:19PM
Just reject SYN with RST and leave the rest alone. Goddamn whippersnappers have to complicate everything for no good reason. It's a router. It does one job.
(Score: 5, Insightful) by Hyperturtle on Sunday August 07 2016, @07:05PM
I guess I never realized that home routers were supposed to be insecure so that they were easy to use?
Untangle, anyway, is the company behind Cymphonix, an "in-line" content filter and proxy, router, and security device that isn't a firewall when taken into the context of what traditional firewalls do.
You can load certs into a Cymphonix and decrypt SSL conversations and look at what your users think they are encrypted and doing, and other legit MITM sorts of stuff--as well as other non-traditional methods to influence your network traffic, such as qos not in the context of marking packets as priority or not, but instead to throttle down facebook.com's domain and sub-domain to dial up speeds during business hours for specific authenticated users on your network, or what have you. The stuff a good network admin could do if given the right hardware and a working directory structure (or a decent authentication server, at any rate).
It also is pricey, and in tiers -- get some giant box you lease a part of, rather than buying something you can use forever. It also is limited to specific speeds on top of the features. After doing some poking around on one, I found it was really just a VM running in VMWare and that other services could spin up and run on another IP if you leased that option, but was centrally managed from a gui on the same box, Woe be the one that tried to be creative with its networking on the command line, because they already WERE creative on the back-end that the "owner" of the box isnt allowed to touch under most circumstances.
I am going to guess this home product is a baby version of that, with more cripple than crutches to get it working. I do not have any experience with their "popular NG firewall", but if their comparison page is one to judge by.. then I dont know anyone that is in their market. They all seem to be products intended for people that run wizards most of the time. Not that there is anything wrong with that... but for a security product, I try to at least see if what it promises to be doing is true, and that requires some level of understanding.
This means that they probably send logs of what you do to some concentrator somewhere, and analyze the logs themselves for whatever purpose. Personalized advertisements, most likely.
Here's one that always gets me excited: "Prevent devices from visiting malicious sites"
Who decides this? I worked at a MS Gold Partner that blocked most of the places I would go because "Hacking, crime, phreaking" or something like that. I guess if it isn't about kittens, it's criminal.
A cursory glance doesn't state how or what makes those decisions, but the comparison page to other router OSes that are designed for entirely different purposes and are not apples-to-apples is here: https://wiki.untangle.com/index.php/Firmware_Feature_Comparison [untangle.com]
This also shows that it is google and facebook integrated, whatever that means--and it's a plus compared to the other firmware options.
There's no good way to tell what that really means without digging in further... at least you can hook this into a different firewall and spy on it as it spies on you.
I guess if you want security that takes your privacy seriously, and don't want to do it yourself, downloading a free OS from a company that made a lot of its fortune providing dedicated in-line monitoring hardware that allowed for the creation of historical and real-time detailed reports on user network activity is not among the wisest choices one could make from a privacy and security perspective...
(Score: 2) by frojack on Sunday August 07 2016, @07:36PM
A cursory glance doesn't state how or what makes those decisions, but the comparison page to other router OSes that are designed for entirely different purposes and are not apples-to-apples is here: https://wiki.untangle.com/index.php/Firmware_Feature_Comparison [untangle.com]
This also shows that it is google and facebook integrated, whatever that means--and it's a plus compared to the other firmware options.
Phew... At last a worthwhile non-rant paragraph.
No, you are mistaken. I've always had this sig.
(Score: 2) by Hyperturtle on Monday August 08 2016, @02:04PM
I get mixed feedback, Frojack, and as such I appreciate yours. Some people like the longer methods I use to relate, and others just want the facts.
It depends on the audience, and here at Soylent we have a diverse mixture.
(Score: 3, Interesting) by Anonymous Coward on Sunday August 07 2016, @07:37PM
> Here's one that always gets me excited: "Prevent devices from visiting malicious sites"
I've been thinking about implementing a module for DD-WRT that does something like that.
Essentially it needs to identify each device type and then white-list the ip addresses it is legitimately supposed to talk to.
The idea is that even if the device gets pwned, the router prevents it from participating in a DDOS or ex-filtrating your data.
Take it a step further and it might be permitted to phone home for firmware updates, but be blocked from talking to advertising sites.
(Score: 2, Insightful) by frojack on Sunday August 07 2016, @07:54PM
Essentially it needs to identify each device type and then white-list the ip addresses it is legitimately supposed to talk to.
Seriously?
You want to maintain whitelists PER device of legitimate sites? Have you thought this through?
Its a full time job for christ sake! Your device users will simply switch over to cellular or the neighbors wifi, and to hell with your dictatorial ISIS rule. You must be a real joy to live with.
No, you are mistaken. I've always had this sig.
(Score: 3, Touché) by Anonymous Coward on Sunday August 07 2016, @08:30PM
> You want to maintain whitelists PER device of legitimate sites? Have you thought this through?
Oh frojo... There are tons of single use devices that need only very limited internet access. Nest, roku, sonos, tivo, ring doorbell, ip security cams, xbox, phillips hue, etc.
So yes, I have thought it through. However it seems like, as usual, you've decided you are superior when you are really just a fuckin idiot.
(Score: 2) by Scruffy Beard 2 on Sunday August 07 2016, @11:27PM
For those you don't want any packets leaving your network. Unfortunately, unless you emulate the manufacturer's server, you will be bricking your device.
(Score: 1) by anubi on Monday August 08 2016, @11:37AM
AC...
Both of you guys have insightful observations for specific usage.... but please, the name-calling is uncalled for.
Your post is quite insightful, but is also flamebait toward a valued member of this forum who has a different usage in mind.
I would have preferred to mod you informative instead of posting this.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Sunday August 07 2016, @11:34PM
A router with interchangeable bits--what will they think of next!
(Score: 2) by frojack on Sunday August 07 2016, @07:31PM
They mention starting with the Asus AC3100 RT AC88U as a target platform. However, that router is relatively new, and not known to be particularly wanting in terms of firmware. It has a capable processor, and not horrible software which has had updates.
Why not start with something well deployed, has an older processor, and has not seen updates since known vulnerabilities have become known?
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by Magic Oddball on Sunday August 07 2016, @09:28PM
My guess is that they're targeting a new high-end router so they can sell it flashed them with their OS at really high prices. (Or rather, they're targeting a new router in part to justify the high cost they'll sell at.) I wouldn't be surprised if it eventually turns out that their OS turned out to be a customized version of a relatively–modular open firmware like Tomato.
(Score: 1, Informative) by Anonymous Coward on Sunday August 07 2016, @10:52PM
http://www.snbforums.com/threads/state-of-the-project-august-2016.33995/ [snbforums.com]
And apparently ASUS is basically going to closed source.
(Score: 2) by Magic Oddball on Sunday August 07 2016, @11:05PM
Sorry for the mangled first sentence... I thought I hit "Preview" and instead hit "Submit." :-p
(Wow, not my day… I apparently also hit "preview" instead of "submit" for this comment before walking off.)
(Score: 0) by Anonymous Coward on Monday August 08 2016, @11:43AM
Its Jack Daniels's fault.
(Score: 4, Insightful) by driven on Sunday August 07 2016, @10:05PM
I want my router to block Smart TV spying. More and more devices will be spying on us (not the least of which is Windows 10, not that I use it personally) - I hope to see anti-spying features implemented in an easy to use manner.
(Score: 2) by MostCynical on Sunday August 07 2016, @11:53PM
Tv calls home. No reply. Tv stops working.
Will be the same for many devices..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Monday August 08 2016, @12:18AM
I think that is a mostly cynical comment. Not in the best interests of the TV makers, internet goes down and your TV stops working? Class action lawsuit right there.
(Score: 0) by Anonymous Coward on Monday August 08 2016, @12:37AM
> Tv calls home. No reply. Tv stops working.
> Will be the same for many devices..
Hopefully not in my lifetime! Can I hold out for another 30+ years or will the "internet of things that suck"* take over before then?
* Credit to the Soylentil who coined this one.
(Score: 0) by Anonymous Coward on Monday August 08 2016, @01:29AM
TV never gets connected to the internet. TV doesn't work. TV goes back to shop for full refund.
This is Oz. We have customer protection laws. We don't put up with that shit.
(Score: 2) by MostCynical on Monday August 08 2016, @03:24AM
Yes, the "basic" television will work.
Anything else (Connecting a DVD player, or STB, or media hub)? Terms of Service say internet connection is required.. to ensure "compatibility" and "the best possible experience"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Wednesday August 10 2016, @09:14PM
It's a sale of a device. "Terms of Service", whatever they may be and even if they applied, do not override the law.
Can't connect a DVD or STB ? The device is clearly faulty. Full refund.
Actually, I don't expect such a device would be sold here in the first place. The stores aren't stupid and the law makes them directly responsible for what they sell.
There is no "you have to deal with the manufacturer" or RMA bullshit here for customers. You take it back to the store and they have to fix, replace, or refund.
(Score: 2) by Fnord666 on Monday August 08 2016, @03:07AM
Tv calls home. No reply. Tv stops working.
Will be the same for many devices..
Hopefully the response is something simple that a local server can reply with when pinged.
(Score: 2) by maxwell demon on Monday August 08 2016, @05:50AM
It's trivial to make that impossible. For example: TV sends random number. Server cryptographically signs random number and sends it back. TV verifies that the returned message contains the same random number. TV checks signature.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Fnord666 on Tuesday August 09 2016, @01:36PM
It's trivial to make that impossible. For example: TV sends random number. Server cryptographically signs random number and sends it back. TV verifies that the returned message contains the same random number. TV checks signature.
True but here's to hoping that they are too lazy to even go to that much trouble.
(Score: 0) by Anonymous Coward on Monday August 08 2016, @12:54AM
> Windows 10
The fortune on this page says "It is impossible to defend perfectly against the attack of those who want to die."
(Score: 3, Interesting) by BananaPhone on Monday August 08 2016, @02:50AM
Feature: Prevent devices from visiting malicious sites
Translation: All sites are vetted through google. IOW: If Goog is told to flag your site as "Evil" your site is black listed
Bonus for Google: tracks you without zombie cookies and under the guise of security.
You probably can turn it off if you you want privacy.
(Score: 0) by Anonymous Coward on Monday August 08 2016, @04:03PM
I hope Soylent got paid for posting this article, which is nothing more than an advertisement for Untangle.
Untangle NG Firewall is proprietary commercial software (check the EULA [untangle.com]). I can't imagine why anyone would trust proprietary router software to help report phoning home - it's probably phoning home itself!
Also, if you're going to install aftermarket firmware, why get expensive proprietary junk when there are plenty of free open source firmwares available? My favorite is OpenWrt [openwrt.org], but there are a lot of choices.
(Score: 1, Interesting) by Anonymous Coward on Monday August 08 2016, @11:28PM
65535 • December 21, 2013 4:38 AM
https://www.schneier.com/blog/archives/2013/12/tor_user_identi.html#c3040210 [schneier.com]
@ Jackson
Your concern about the Cryptome report does raise serious questions. When carefully read the Cryptome report touches on the subject of finger printing TOR users via a BT backdoor.
The Crytome report also speculates that major CA's instantly transmits copies of clients SSL/TLS Certificates to the NSA and possibly GCHQ when purchased. This is quite troubling.
I will note that CSO acknowledges that:
'On the issue of the USDOD IP address referenced by the paper's authors, that block of addresses has been used by many firms over the years. It's a valuable piece of IPv4 real-estate that is often enabled internally by an ISP after they've gotten permission from the Defense Information Systems Agency (the part of the USDOD that manages networks and infrastructure).
Just last year, Sprint was using IPs internally from that block for their mobile network. So the fact that BT would be using it too isn't a shock to network engineers who have seen the paper.
'In short, one security expert told CSO, the usage of 30.x.x.x /8 doesn't really imply NSA monitoring at all. In fact, he added, "If you want a non-routable IP that won't break when using it, [the] DOD is your best choice."'
http://www.csoonline.com/article/744697/report-accuses-bt-of-supplying-backdoors-for-gchq-and-nsa?page=4 [csoonline.com]
But the Cryptome report goes much farther. It indicates that a simple ping test can detect the backdoor. Next you can telnet into the modem and see the actual configuration and un-hack the device (assuming altering the firmware doesn't violate BT TOS agreement - causing your service to terminated).
http://cryptome.org/2013/12/Full-Disclosure.pdf [cryptome.org]
[Cryptome pdf page 39]
"Easy Confirmation
"Step 1.
"Remove Power from the modem and disconnect the telephone line.
"Step 2.
"On your PC (assumed Linux) add an IP address 192.168.1.100 i.e:
#
ifconfig eth0:1 192.168.1.100 up
"Step 3.
"Start to ping 192.168.1.1 from your PC i.e:
#
"ping 192.168.1.1
"Step 4.
"Connect a network cable to LAN1
"Step 5.
"Plug-in the power cable to the modem and wait for about 30 seconds
"for the device to boot, you will then notice:
"64 bytes from 192.168.1.1: icmp_seq=115 ttl=64 time=0.923 ms
"64 bytes from 192.168.1.1: icmp_seq=116 ttl=64 time=0.492 ms
"64 bytes from 192.168.1.1: icmp_seq=117 ttl=64 time=0.514 ms
"You may notice up to ten responses, then it will stop.
"What is happening is the internal Linux kernel boots [inside of the modem], the start up scripts then configure the internal and virtual interfaces and then turn on the hidden firewall at which point the pings stop responding.
"In other words, there is a short window (3-10 seconds) between when the kernel boots and the hidden firewall kicks in.
"You will not be able to detect any other signs of the hidden network without actually logging into the modem, which is explained in the next section."
The second step is telneting into the BT modem/router is show on page 40 to 44. The "un-hack" is on page 45 forward.
Other notable Cryptome pages include:
"All SSL Certificates Compromised in Real-Time" page 22
"Theft of private keys" page 24
"Tor User/Content Discovery" page 26
@ ron41, see TOR discovery from the Cryptome link. There is a fingerprinting method to determine TOR users.
"Covert International Traffic Routing" page 27
"Secure your end-points" page 30
"I'm an American, does this apply to me" page 35
@ *others who care, the paper indicates that NSA is using the very same technique and can discover TOR users (if this is true it is troubling).