Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday August 07 2016, @06:07PM   Printer-friendly
from the Untangling-the-mess dept.

Submitted via IRC for TheMightyBuzzard

Router hardware has evolved and improved over the years, but its firmware remains stuck in the dark ages when it comes to security, network traffic visibility and control. Recognizing the inherent limitations in popular commercial routers, Untangle set about making a radical new OS for home routers based on its popular, broadly installed and easy-to-use NG Firewall product.

Untangle's NG Firewall will be available to flash onto various router models, beginning with the Asus AC3100 RT AC88U.

"The open source community has known for a long time what router manufacturers are loathe to admit: router firmware is lacking," said Dirk Morris, founder and chief product officer at Untangle. "Projects like DD-WRT have gained traction because of the limitations of the operating systems developed by hardware manufacturers. Firmware has failed to provide adequate security to the modern home, let alone network traffic visibility and shaping. Untangle handles these issues and more."

The biggest challenge facing home networks isn't necessarily even security: it's the lack of visibility into and control over the traffic. Unlike commercial firmware on today's home Wi-Fi routers, Untangle NG Firewall logs traffic for rich, robust reporting into every facet of what's happening online: sites the kids are visiting, neighbors jumping on the wireless network, and the newest IP-enabled gadget phoning home.

Source: https://www.helpnetsecurity.com/2016/08/05/new-home-router-os/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Hyperturtle on Sunday August 07 2016, @07:05PM

    by Hyperturtle (2824) on Sunday August 07 2016, @07:05PM (#385022)

    I guess I never realized that home routers were supposed to be insecure so that they were easy to use?

    Untangle, anyway, is the company behind Cymphonix, an "in-line" content filter and proxy, router, and security device that isn't a firewall when taken into the context of what traditional firewalls do.

    You can load certs into a Cymphonix and decrypt SSL conversations and look at what your users think they are encrypted and doing, and other legit MITM sorts of stuff--as well as other non-traditional methods to influence your network traffic, such as qos not in the context of marking packets as priority or not, but instead to throttle down facebook.com's domain and sub-domain to dial up speeds during business hours for specific authenticated users on your network, or what have you. The stuff a good network admin could do if given the right hardware and a working directory structure (or a decent authentication server, at any rate).

    It also is pricey, and in tiers -- get some giant box you lease a part of, rather than buying something you can use forever. It also is limited to specific speeds on top of the features. After doing some poking around on one, I found it was really just a VM running in VMWare and that other services could spin up and run on another IP if you leased that option, but was centrally managed from a gui on the same box, Woe be the one that tried to be creative with its networking on the command line, because they already WERE creative on the back-end that the "owner" of the box isnt allowed to touch under most circumstances.

    I am going to guess this home product is a baby version of that, with more cripple than crutches to get it working. I do not have any experience with their "popular NG firewall", but if their comparison page is one to judge by.. then I dont know anyone that is in their market. They all seem to be products intended for people that run wizards most of the time. Not that there is anything wrong with that... but for a security product, I try to at least see if what it promises to be doing is true, and that requires some level of understanding.

    This means that they probably send logs of what you do to some concentrator somewhere, and analyze the logs themselves for whatever purpose. Personalized advertisements, most likely.

    Here's one that always gets me excited: "Prevent devices from visiting malicious sites"

    Who decides this? I worked at a MS Gold Partner that blocked most of the places I would go because "Hacking, crime, phreaking" or something like that. I guess if it isn't about kittens, it's criminal.

    A cursory glance doesn't state how or what makes those decisions, but the comparison page to other router OSes that are designed for entirely different purposes and are not apples-to-apples is here: https://wiki.untangle.com/index.php/Firmware_Feature_Comparison [untangle.com]

    This also shows that it is google and facebook integrated, whatever that means--and it's a plus compared to the other firmware options.

    There's no good way to tell what that really means without digging in further... at least you can hook this into a different firewall and spy on it as it spies on you.

    I guess if you want security that takes your privacy seriously, and don't want to do it yourself, downloading a free OS from a company that made a lot of its fortune providing dedicated in-line monitoring hardware that allowed for the creation of historical and real-time detailed reports on user network activity is not among the wisest choices one could make from a privacy and security perspective...

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=1, Informative=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by frojack on Sunday August 07 2016, @07:36PM

    by frojack (1554) on Sunday August 07 2016, @07:36PM (#385027) Journal

    A cursory glance doesn't state how or what makes those decisions, but the comparison page to other router OSes that are designed for entirely different purposes and are not apples-to-apples is here: https://wiki.untangle.com/index.php/Firmware_Feature_Comparison [untangle.com]
    This also shows that it is google and facebook integrated, whatever that means--and it's a plus compared to the other firmware options.

    Phew... At last a worthwhile non-rant paragraph.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2) by Hyperturtle on Monday August 08 2016, @02:04PM

      by Hyperturtle (2824) on Monday August 08 2016, @02:04PM (#385291)

      I get mixed feedback, Frojack, and as such I appreciate yours. Some people like the longer methods I use to relate, and others just want the facts.

      It depends on the audience, and here at Soylent we have a diverse mixture.

  • (Score: 3, Interesting) by Anonymous Coward on Sunday August 07 2016, @07:37PM

    by Anonymous Coward on Sunday August 07 2016, @07:37PM (#385028)

    > Here's one that always gets me excited: "Prevent devices from visiting malicious sites"

    I've been thinking about implementing a module for DD-WRT that does something like that.
    Essentially it needs to identify each device type and then white-list the ip addresses it is legitimately supposed to talk to.
    The idea is that even if the device gets pwned, the router prevents it from participating in a DDOS or ex-filtrating your data.
    Take it a step further and it might be permitted to phone home for firmware updates, but be blocked from talking to advertising sites.

    • (Score: 2, Insightful) by frojack on Sunday August 07 2016, @07:54PM

      by frojack (1554) on Sunday August 07 2016, @07:54PM (#385033) Journal

      Essentially it needs to identify each device type and then white-list the ip addresses it is legitimately supposed to talk to.

      Seriously?
      You want to maintain whitelists PER device of legitimate sites? Have you thought this through?

      Its a full time job for christ sake! Your device users will simply switch over to cellular or the neighbors wifi, and to hell with your dictatorial ISIS rule. You must be a real joy to live with.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Touché) by Anonymous Coward on Sunday August 07 2016, @08:30PM

        by Anonymous Coward on Sunday August 07 2016, @08:30PM (#385038)

        > You want to maintain whitelists PER device of legitimate sites? Have you thought this through?

        Oh frojo... There are tons of single use devices that need only very limited internet access. Nest, roku, sonos, tivo, ring doorbell, ip security cams, xbox, phillips hue, etc.

        So yes, I have thought it through. However it seems like, as usual, you've decided you are superior when you are really just a fuckin idiot.

        • (Score: 2) by Scruffy Beard 2 on Sunday August 07 2016, @11:27PM

          by Scruffy Beard 2 (6030) on Sunday August 07 2016, @11:27PM (#385081)

          For those you don't want any packets leaving your network. Unfortunately, unless you emulate the manufacturer's server, you will be bricking your device.

        • (Score: 1) by anubi on Monday August 08 2016, @11:37AM

          by anubi (2828) on Monday August 08 2016, @11:37AM (#385252) Journal

          AC...

          Both of you guys have insightful observations for specific usage.... but please, the name-calling is uncalled for.

          Your post is quite insightful, but is also flamebait toward a valued member of this forum who has a different usage in mind.

          I would have preferred to mod you informative instead of posting this.

          --
          "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]