Secure Router Concept?
-
- This might sound crazy (please be kind if it's stupid)
Would it be possible to make a Netgate router where you can only connect a display to it?
Since connecting a computer/browser to a router makes it less secure, why not remove the computer/browser?
i.e. you create a ‘router browser’ that is ONLY allowed to display the router config/login [and cannot access anything else]?
And automatically all other devices/computers are physically blocked from accessing the router.
No one can even get in without physically being at the router, with the display in front of them, making it 100% secure?
This is all about security right?
Isn’t there a ‘Chromebook’ for routers?
-
you can use an network port only for the WebGUI, deny the access from any other interfaces.
For configuration connect your notebook,... direct to this network port. -
@bworks said in Secure Router Concept?:
Since connecting a computer/browser to a router makes it less secure, why not remove the computer/browser?
Allowing any traffic into a route makes it less secure. The most secure router in the world is one that is not connected to any networks. For added security on top of that leave the power cord in another box.
It's always about usefulness vs security. Allowing a browser to even display the config has potential attack vectors. You need to log in at least, no? html and other technologies used to display the configuration have potential attack vectors, so even the simple act of allowing a browser is a problem.
Lots of times routers/firewalls may be deployed in remote locations, where there is usually few or no people onsite. What you are proposing is any configuration change, any problem mandates a truck roll of a person for anything.
From a usability perspective I don't see how your idea actually improves security.
-
I was going through the security issues listed here:
https://docs.netgate.com/advisories/index.htmlMany of the workarounds say:
To help mitigate the problem on older releases, use one or more
of the following:- Do not give firewall administrators access to pages or functions which allow
writing arbitrary files to the firewall. - Limit access to the affected pages to trusted administrators only.
- Do not log into the firewall with the same browser used for non-
administrative web browsing.
It says this time & time again.
My point is to stop any other devices other than the router itself being allowed to actually access the login / to be able to configure it. I understand traffic needs to go through it.
The thing is if you “deny the access” with the router settings, this means that those options can be modified [by intruders using potential exploits, in an endless battle]. Simply by making it so that there are no options to access the router from any other devices, means it would be 100% safe / ‘impossible’ for any other ‘remote’ devices to access it whatsoever (kinda like Chromebook’s it’s ‘impossible’ to download malware, etc.)?
Yeah, in this use case remote access would be a problem.
- Do not give firewall administrators access to pages or functions which allow
-
@bworks said in Secure Router Concept?:
My point is to stop any other devices other than the router itself being allowed to actually access the login / to be able to configure it. I understand traffic needs to go through it.
You need to access the router from somewhere to configure it.
-
@nogbadthebad Well it would be PFSense itself - maybe there could be a different version to download where it only allows the device it’s installed on to access the login/configuration (i.e. hard-coded in, not just an option that can be changed)?
PFSense can just be installed on a PC, why then allow any more computers to have access? Why not lock them out for good without even the option to gain access?
As the Netgate routers are basically little computers - attach a screen via the USB to access the config. Then just have a different PFSense install option for them? PFSense Standard for those that need remote access.
-
@bworks Most people run the devices headless.
Show me a Netgate appliance with a VGA / HDMI port.
-
@bworks sure if you want to only allow console access you can do that.. Just turn off the antilock out rule.. And prevent access to the pfsense IPs (this firewall) alias is good for that on your gui and ssh ports on all the networks attached or routed through pfsense.
Are you trying to set this up in DoD facility.. From a security point of view that is a bit over the top for your typical setup.. Normally you would lock down gui/ssh access to your admin lan only, maybe this admin lan is only available from say your computer room or dc, etc.
Locking it down to console only seems a bit drastic.. But sure you could do that if you so desired. Really need a gui to manage pfsense, so lock it down to say a specific laptop/pc something connected to specific interface.. Ie physically attached to pfsense would accomplish what your after.
-
pfSense is designed to be a web configured firewall. It's pretty much the reason it exists!
You could block access to the webgui on every interface and just use
linksat the console directly:
It's pretty inconvenient though for the security it gets you.
At some point int the future this might become a more practical option as we move functionality out of the front end.
Steve
