Drive Encryption


  • Rebel Alliance

    Running remote clients that don't always have great physical security.
    This leaves them vulnerable to attack, particularly if removable media is used (eg: SD cards)

    Is it possible to have an encrypted drive to prevent someone from removing the SD card and reading it directly?



  • Yes, but the exact method depends on the operating system.


  • Rebel Alliance Global Moderator

    you also have problem with such systems being able to start on their own without human intervention..

    You also run into the problem that if physical access is there while live and drive is decrypted ;)

    What exactly is stored on the firewall drive that could not just be circumvented with such physical access?


  • Rebel Alliance

    @johnpoz:

    you also have problem with such systems being able to start on their own without human intervention..

    You also run into the problem that if physical access is there while live and drive is decrypted ;)

    What exactly is stored on the firewall drive that could not just be circumvented with such physical access?

    It seems to me that the simplest form of attack is by powering down the router, removing the drive and imaging it.
    Therefore; this it poses the greatest vulnerability to a physically non-secured client router.
    I understand that encrypting a drive requires a password to be entered (or stored??) to power up.
    Neither solutions are desirable, and I don't propose to know the solution - (when physical security cannot be fully controlled).
    I thought I would ask anyway.

    I imagine that performing a live attack would be more difficult.

    Client routers may run OpenVPN connections to the server, thus certs and passwords become vulnerable.

    The SG-1000 routers can run on internal memory, which is a little more secure - but I imagine the memory can be read anyway.


  • Rebel Alliance Global Moderator

    What appliances from netgate run on sdcards or drives that are removable?

    Those things can be added for storage on some models.. But are they not all internal storage?  So really nothing to remove..

    "stored??) to power up"
    You just defeated the whole point of encryption if the password is stored and not encrypted..

    "I imagine that performing a live attack would be more difficult."

    Why?

    The whole point of the disk encryption goes out the window with evil maid attack anyway..  Since I have physical access..  You have to put the password in to boot the thing… I just use evil maid on you.. etc..

    Does any of the major players in firewalls provide for encryption?  Say Cisco, Palo Alto, Juniper, Fortinet?  How do they implement it..  Here is the thing once physical security has been loss..  So while your encryption would protect you again theft of said device.. Since your cold storage is encrypted.  But if what I am after is your certs - then just evil maid you.. OR maybe even just put a camera in the area or keyboard to log the keystrokes, etc. Go turn the firewall off and then back on and just wait for you to put in the password.

    You are prob better off securing the appliance in some sort of enclosure if you can not secure it in a IDF room or something.  Quite often they can be placed up on the walls to make access even more difficult.  This is how normally switches are secured in a production facility for example where its difficult for some runs and need a switch at some location vs just the drop of the wire and switch in secure closet somewhere.

    If your worried about the user certs do not store them on the appliance after they have been created.  Same goes for the CA.. You can store the private key of the CA off.. It only is needed to create new certs from that CA..  So that sort of stuff can be removed if your worried about someone getting that off the firewall.


  • Netgate

    To me the biggest reason for whole-disk encryption (other than portable, thievable, misplaceable devices like laptops, tablets, and phones) is so you can dispose of the drives without having to wipe them first. That's why I use ZFS encryption on my NAS.

    WDE on the firewall seems like a solution in search of a problem.


  • Rebel Alliance Global Moderator

    "WDE on the firewall seems like a solution in search of a problem."

    Well said… And agree..

    I am curious if any major players support it though.. Have never looked into it.. Since have never had to worry about physical security of such devices.  They are either locked in an IDF/MDF of some remote location or in a DC with normally over the top physical biometric access only, etc. Then even in that DC in a locked rack, and sometimes cage with different locks, etc.

    The firewall is normally never like just sitting on someones desk in a open cube ;)

    So now that that your concerns of certs is removed from this non physical secure firewall - what else is on the device that your concerned with that you would desire WDE and all he pains that come with that?



  • The firewall is normally never like just sitting on someones desk in a open cube ;)

    That's where it was in an office I used to work in.  However, there wasn't much option.  The office was a single room in a building where offices and even just mail boxes were rented out to small companies.  Unlike most of the other tenants, we had our own Internet access, connected to an Adtran router/switch.  There were only 2 people working there, me and the sales guy.



  • @Gil:

    Is it possible to have an encrypted drive to prevent someone from removing the SD card and reading it directly?

    Well, me Mr. Obvious says if security is a concern, PHYSICAL SECURITY, FW box is in a controlled access location, to begin with.


  • Rebel Alliance Global Moderator

    Rule #1 of security:

    If you don't have physical security you don't have shit ;)


  • Rebel Alliance

    @johnpoz:

    If your worried about the user certs do not store them on the appliance after they have been created.  Same goes for the CA.. You can store the private key of the CA off.. It only is needed to create new certs from that CA..  So that sort of stuff can be removed if your worried about someone getting that off the firewall.

    I cannot remove all sensitive data.
    A router setup with an OpenVPN client will require a combination of:
    CA.cert, a VPN.cert and VPN.key, plus (possibly) a tls-auth.key, user name and password.
    Certainly no need to store the CA.key. - I keep a separate system for key generation anyway
    Revoking certificates is an answer to a compromised router, - once you have identified the compromise.

    I don't disagree with the comments made, but can you always guarantee that all of your client devices are physically secured?
    Inherent to my situation; I cannot.

    Just looking for possibilities that may exist past my current knowledge.


  • Rebel Alliance Global Moderator

    In what scenario would you be worried about a router that connects to a vpn services user cert to the vpn?  The users at that location would have access to the vpn already..

    Please describe the scenario of your compromise… What exactly is a person that has physical access to your router going to steal or get access to that your trying to prevent.. That they already do not have access to anyway from just being in the location and on your local network.

    Be happy to walk thru any scenario you can describe that is actually something that anyone should be worried about..

    Yes your firewall in some location should always be secured.. If you do not have physical security you do not have shit... Where WDE comes into play is a scenario where you loose your device..  Ie your work laptop that you leave in your car - and someone throws a brick through your window and takes the thing.  To decrypt the disk they would need your smart card - which you have in you wallet.  And or at min your password to boot the machine, etc.

    whole disk encryption only protects against loss of the device.  When would a router be lost?  If its in a building under your control... If someone does break into the building and steal it - what is on there that could not just be revoked?

    You need to walk through a scenario - if you want to walk through the steps to mitigate that scenario..

    Just asking for WDE seems pointless for something like a firewall.  Even if the router is sitting in a open cube in your office.  What is on the device that someone in the office would want?  That you would be worried about them getting access too?


  • Netgate

    It's not a feature that will likely be added anyway.


  • Rebel Alliance

    Not all VPNs are for human users, most of my remote clients are network devices - Remote over WAN, multiple locations.

    The equipment boxes can be locked, but physical security cannot be guaranteed.

    I set Alarms for security alerts whenever I can.

    I appreciate this is somewhat specific to this scenario, but I'm sure I'm not the only user who faces this problem.


  • Rebel Alliance Global Moderator

    Well use a different firewall solution that provides it.. Like I said none of them do that I know of..  But you want the one you get for FREE too ;)

    I would suggest you get a PC to run it on, and use WDE/FDE in the bios.. Or run it on some SED, there are some SSDs out there for sure.. Now you just need someone to put in the password every time you reboot the thing…

    Which better make sure these people do not learn that want these top secret vpn user certs. And or that they do not evil maid you since the device is not secure..


  • Rebel Alliance

    Okay, thanks for your time. Particularly johnpoz.
    Like Derelict says - it ain't gonna happen.
    I totally get why, - no harm in asking though.



  • I read a blog on the topic of WDE for remote devices where physical security could not be trusted. It was full of all kinds of holes. There is no solution and the closest you can get to a solution is more of security through obscurity. It comes down to the fundamental issue that a secret must be provided. If the secret is local, then anyone with physical access can get the secret. If the secret is remote, then you need a way for the device to remote back to get the secret, but in order to do that, it must have the ability to boot and connect back. An attacker could just clone this part, run it in a VM and eavesdrop. Now they got the secret. The only benefit you give is you can control when the secret gets sent instead of having it accessible at any time by storing it locally.

    In short, it can't be done without proprietary hardware. The only way to make this happen is to have a way to store the secret locally in a physically safe way and where the device knows it's in a trusted state. You can keep whittling down which parts must be secure, but in the end you MUST have some amount of physical security.


  • Rebel Alliance Global Moderator

    ^ great points Harvy66

    So yeah it all boils down to if you ain't got physical security you ain't got shit ;) hehehehe

    Even a small ma an pop shop should have some sort of closet it could be locked up in.  Even in the example where it sat in a cube.. You still have physical security to the point only people that work in the office would have access.. And ok the cleaning crew, and the building security and management ;)

    But not like its sitting on a table in starbucks ;)


Locked