Building a Qubes Router?

Continuing the discussion from Which kinds of sys-* are possible?:

Speaking of having more than one sys-net, are there any security benefits to making a Qubes router run on a mini PC with many NICs? Or am I just increasing my attack surface since router firmwares tend to be tiny? Does having multiple independent firewalls increase compartmentalization and offset the increased attack surface?

What uses might there be for a Qubes router?

Just some random thoughts

Qubes is designed and built for desktop.

I see no benefit from a qubes router. Routers in general do not have real attack surface - beside it’s management interface.

I’m using multiple sys-net to separate my VM’s outgoing traffic inside my laptop, not to route two external networks…

Old stuff but still good readig:
https://blog.invisiblethings.org/2011/09/28/playing-with-qubes-networking-for-fun.html

3 Likes

If I remember correctly, consumer routers from companies like ASUS have had serious vulnerabilities to the point where the US government had to issue a warning (Edit: found it). Even for routers flashed with DD-WRT or some other custom firmware, I bet the attack surface is non-negligible. With DD-WRT, there’s also the issue of who writes/maintains the free firmware for a multitude of devices and what their incentives are, but that’s another topic entirely.

Given how central routers are to networking and how little attention they are usually given, it wouldn’t surprise me if they tend to be targets.

ohh, ‘those’ routers? :slight_smile:
SOHO ‘routers’ are backdoored for a reason. Because users are lasy and forgot their paswords and encryption keys - at least this is the reasoning for most of the vendor backdoors.

Most of them are not even ‘real’ routers as they not even have separate interfaces. Usually the ports you see are attached to a single switch and only VLANs are separating them.

So when I talking about security, I usually exclude those ‘boxes’ from the discussion :wink:

But Qubes as a router is still pointless to me, as Qubes designed for desktop security, sot it is addressing desktop related issues.

If yuo want to build a secure router (or any kind of servers), the other (Linux, *BSD based) distros provide you more than enough building blocks to achieve that goal.

Own the router is a known strategy

Even for routers flashed with DD-WRT or some other custom firmware, I bet the attack surface is non-negligible

Now this is interesting. Any links to this position? the edit you made links to TA18-106A which is more about default credentials with Telnet/TFTP, SNMP/SMI and “EOL” firmware. I have a finger in the openWRT pie so am very keen to understand if there are some hardware vulnerabilities of devices that you are aware of, which may provide remote access when using custom firmware.

I think @Zrubi makes a good point re security of a router, but again threat model needs to be considered.

My personal approach is to use commodity hardware with open source drivers available, that supports hardware flow offloading (eg: MT7621A). I then build OpenWRT locally for this specific device and flash the built ROM. I couple that with some personal security measures, such as remote sha256sum hashing to attest to the state of every file in the rom, overlay partition and configuration systems ( a kinda poor mans IDS ). Then I have remote logging of things like SSH logins and other events. The public facing firewall is completely locked down to not allow any inbound connections. The router itself has no outbound permissions in the firewall other than what I have specifically poked (DNS, for example). The firewall configuration is monitored on a very regular basis and alerts on any changes.

Usually the ports you see are attached to a single switch and only VLANs are separating them.

That is a downside to commodity hardware. But by using a robust threat model and countermeasures (such as above) one would hope that if something goes awry because of that, its going to be noticed.

I didn’t make a claim that there are hardware vulnerabilities in WRT devices (open- or DD-); what I was saying is that these custom firmwares seem to be larger than the default and that the use of Linux kernels (AFAIK) can make them more susceptible. As usual, I must stress my lack of technical knowledge, as well as the fact that I was explicitly speculating.

On top of that, another ‘attack surface’ is the maintainer. For example, DD-WRT was maintained by Kong for a long time–every router had a Kong build. Now it’s some other maintainer (it’s a mess). DD-WRT firmware is updated frequently, to the tune of multiple betas per month. One just can’t help but wonder who, if anyone, keeps an eye on all of these builds for all of these routers, and what sustains such a massive operation. But then I haven’t really looked into the issue much further.

To be clear: this isn’t an attack on the WRT community writ large. It’s the ones packaging them for mass deployment that leaves me wondering. AFAIK Open-WRT is far smaller than DD-WRT in that regard.

As a non-technical person, I can’t take most of the measures you described, so trust is also a big factor. This is why I’m beginning to lean towards security-focused commercial brands instead of SOHOs with DD-WRT. I’m even exploring RPi routers, which is a nice segue for my questions:

Since you seem like a router buff, what are your thoughts on taking a tiny distro like Alpine Linux and making an RPi router, maybe with VPN? How would that compare to a DD-WRT SOHO or a more professional router?

What about hardware firewalls? Are they overkill for individuals?

Sorry for bombarding you with all these questions–it’s just that router security has always been a main concern and I’ve never gotten a hold of someone with the relevant expertise. My main source of info has been Michael Horowitz’s site.

You will find that invariably, the factory firmware of most SOHO devices run linux. Its super common that the router vendor supplied firmware is OpenWRT rebranded. Its less effort than the OEM using the Linux SDK from the chipset manufacturer.

The use of Linux kerrnels, in my view, makes devices more secure - the code is open and bugs are addressed by the community. Apply this with regular updates of your OpenWRT firmware and actually you stand way better chance of not being hit by old unpatched issues than firmware that isnt updated and/or end of life. I would rather have a linux kernel with the world keeping an eye on its security, than some closed box firmware that I have no idea what lurks within.

Re. size, generally the firmware is of a finite size up he amount of flashrom on the device. OpenWRT snapshot builds do not include bloat packages (nor even uHTTPD), just core functionality (so a reduction in attack surface) and self building you select exactly what you want in the image.

‘attack surface’ is the maintainer. For example, DD-WRT

Correct. when downloading binary builds you are trusting the maintainer. Same as anything (even Qubes OS ISO). I always build my own OpenWRT from source. Though both DDWRT and OpenWRT allow building from the source, Ive never tried it with DDWRT

Since you seem like a router buff, what are your thoughts on taking a tiny distro like Alpine Linux and making an RPi router, maybe with VPN? How would that compare to a DD-WRT SOHO or a more professional router?

Are they overkill for individuals?

The answers to these depend on your personal threat model. I like alpine linux, i run it in a few places.

I’m beginning to lean towards security-focused commercial brands instead of SOHOs

A lot of orgs do this. Its down to chain of trust. you trust your vendor will protect you. But then people trusted Solarwinds, right?

A bit off topic, but a configured router has market value and is a good entry level purchase to a brand and confidence builder.

On another note, I’ve had a router injected with a foreign api and wrecked my router.

This conversation is steering a bit away from Qubes OS. I would ask you to stick to the topic at hand which is “Bulding a Qubes router” and it’s implications. Discussing other router’s vulnerabilities should go on our #all-around-qubes category (only accessible to trust level 2 members).

2 Likes

Solarwinds

Choosing between open and closed source is a lot like choosing between a giant douche and a turd sandwich. Are there transparent-source projects where people can see the source code but no community contributions are allowed aside from stringently vetted people?

Truecrypt is obvious example. Mega another.

1 Like

So they do exist. I have a feeling this recent kernel incident might prompt some soul searching in the open-source community and eventually lead to some security-sensitive projects getting shifted to transparent-source (or whatever it’s actually called) where feasible.

Sorry for my many digressions tonight, @deeplow. It’s just hard to strictly stick to a topic when having a conversation, as topics tend to be part of an interrelated web of topics.

Edit: Just to bring things back to Qubes a bit, I wonder if Alpine Linux can run on Qubes. The lightweight distro with built-in stack-smashing protection + mirage might make a formidable security router (but with a larger attack surface than, say, OpenWRT).

1 Like