6100 + Zen FTTP (UK) + NordVPN Setup

bworks

@stephenw10 thanks! I agree it's probably a secure part of the network - but can't say 100% anymore.

There's likely another way they are thinking about...

There are ‘bugs’ in every single software! That’s why there are endless “security updates” / “make sure you install the latest firmware updates”, blah blah blah.

The fact is the software has already had the bug(s) long before the updates! And only ethical hackers are reporting them.

Check out this:
https://routersecurity.org/bugs.php

The bug that scares me the most is the one that allows bad guys to bypass a router firewall and attack devices directly. He tested four consumer routers and found two were vulnerable, but he did not name names and did not say which of the 12 bugs they were vulnerable to.

“Bugs bugs bugs………”

2 years Virgin Media does nothing (I’ve been with them in the past)

Even Fortinet/Fortigate bugs / Cisco “backdoor account”, “flaw leaves small business networks wide open”

What is the history of “bugs” on Netgate hardware / PFSense?

Unfortunately as soon as there are any single flaws in the software, that's it. I'm not waiting for the hackers to come along.

bworks

And there goes "bluetooth is invincible" / "impossible" as well:

"Millions of Wi-Fi access points sold by Cisco, Meraki, and Aruba a critical Bluetooth bug that could allow attackers to run install and run malware on the devices. The bug was found by Armis. The malware could get access to all subnets, that is, it would not be stopped by a VLAN. The bug is in Bluetooth Low Energy (BLE), in software from Texas Instruments and they were aware of the issue, but they were not aware that it could be exploited in such a malicious manner."

"Not me, Bluetooth is always disabled on my phone."

"Way to go Aruba. An attacker can learn the password by sniffing a legitimate update or reverse-engineering the device. Game over. Bad guys can then install any firmware they want."

"Tin foil hat: a reader comment at Ars raised an issue that I first heard at a security conference this past summer. What if the removal of 3.5 mm audio ports in phones was to force more people to keep Bluetooth enabled, and thus, keep them traceable?

If that is true, we won't know for at least 30 years."

bworks

And regarding bluetooth, my iPhone tries to connect to my Bose speakers fairly frequently, despite the speakers being turned off (with no battery) & the bluetooth turned off on my iPhone!!!

bworks

"Decade-long vulnerability in multiple routers could allow network compromise"

Just utterly ridiculous! Clearly there is something malicious going on behind the scenes also. They don't care a less about the hackers [ruining lives] that are using their hidden backdoors. Only when money is stolen & there's something to trace.

In the meantime governments around the world hacking innocent individuals, destroying lives, all to keep control / bully the innocent people.

stephenw10

Well pfSense has no Bluetooth support at all so that's one thing not to worry about.

It depends what you mean by 'bug'. You can check the entire bug history of you want here:
https://redmine.pfsense.org/projects/pfsense/issues
Most of that are not security issue though. What you probably want is this:
https://docs.netgate.com/advisories/index.html

Steve

bworks

@stephenw10 thanks Stephen! On the first document I found:

Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised.

• Do not log into the firewall with the same browser used for non-administrative web browsing.

My plan is to use a dedicated Chromebook just for accessing the router.

I will go through the list for more potential tips...

I'll say I think it's better to go with open source than commercial due to these entities possibly creating backdoors on purpose & keeping them secret for as long as possible. I don't see the same thing happening with open source.

bworks

@stephenw10 holy crap, well there you go:

Researchers at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University have independently identified vulnerabilities related to Cross-Transport Key Derivation (CTKD) in implementations supporting pairing and encryption with both Bluetooth BR/EDR and LE in Bluetooth Specifications 4.0 through 5.0 […]

For this attack to be successful, an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing. If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur. This may permit a Man In The Middle (MITM) attack between devices previously bonded using authenticated pairing when those peer devices are both vulnerable.

"Vulnerability to so-called Man-In-The-Middle (MITM) attacks is less clear. With some of these, an attacker can impersonate a previously paired device, which would then be allowed to connect without user intervention"
https://9to5mac.com/2020/09/10/bluetooth-security-flaw-2/

Seems to be exactly what was/is happening to my iPhone.

My bet is, despite bluetooth being secure, Apple are leaving backdoors in, and underground hacker gangs are finding these out & keeping the flaws to themselves. These vulnerabilities stay secret for years (or a "decade").

stephenw10

There is always a trade-off between security and convenience. You just have to realise that the vast majority of users are at the convenience end of that scale and manufacturers are targeting mostly those users....

But that's a conversation for 'off-topic' it's not Netgate hardware related.

Steve

bworks

@stephenw10 so what would you suggest as the most secure setup that I can create [with the Netgate/PFSense router]?

Again, my plan is 1 Chromebook solely for configuring the router (if the Chromebook can remain offline whilst configuring that would be better...).

2nd Chromebook for web browsing, and accessing my web hosts - shouldn't be able to get malware but not sure what other vulnerabilities there are - e.g. turn off javascript?...

And a Macbook Pro for all of my actual works (Adobe, AE plugins, Music plugins, etc.) - only use the internet to install the programs (many 3rd party), and install updates. Keep the internet off as much as possible. Send my web development assets to the cloud rather than accessing my web hosting directly (where my passwords may be exposed some how).

I still can't see myself being able to invest in crypto/NFTs, even with a dedicated Chromebook for it...
Unless, is there a way to detect any sort of hack, not just malware? How do so many big companies go for so long without realising they are being hacked? Aren't they monitoring their outgoing traffic (e.g. through Snort, etc.)?

Obviously no bluetooth on devices, no wireless devices (no wifi at all), VLANs, VPN... what about ACLs with PFSense, do they increase security?

bworks

Hmm, well doesn't appear that Snort be useful since I can't remember the last time I visited a non-https website, and it does nothing for an encrypted connection.

stephenw10

The concept of an off-line Chromebook is probably not going to work well. ChromeOS expects to always be online.
If you're aiming at the secure end of the security/convenience scale use Tails. It is quite inconvenient though.

Again though this is not really specific to the 6100 so it would be better in a different thread.

Steve

bworks

@stephenw10 thanks Stephen, my idea is just to have a 100% safe laptop/PC only to access the router. I don't think you need to be connected to the net to login/configure the router(?)

I'm also looking at Linux & physically removing the wifi/bluetooth capabilities. Or even OpenBSD/FreeBSD OS... Thanks Tails may be going too far for me, but I will need to understand it better. Hopefully a VPN will be enough to stop them acquiring my IP.

---

Anyhow, I think I'm started to understand enough to know that I am going to give the Netgate 6100 / PFSense a go - then add additional security measures on top.

Just some last Qs, since all this networking lark requires a fair bit of knowledge, and is therefore easy to mess things up in configuration -

1. Would I be able to get someone from your support to screenshot me the [100%] correct setup/configurations for whatever I decided to go with in terms of devices/clients and addons such as pfBlockerNG-Devel?

2. Am I going to need a separate switch to do VLANs?

3. Should I add Squid / ACLs for extra security? If possible, can briefly explain how ACLs will help (I can't figure it out with VLANs & whether it's necessary).

Thank you very much!