Preferred way to approach wired security?

Software SW help
1

Hello fellow Turris users,

I’m currently facing an issue I did not find any answer for, and I’m hoping some of you did solve it in past.
I have Turris omnia and PoE-powered wireless AP (TP-Link EAP-615 running OpenWRT) connected via Ethernet cable.

Both Omnia and TP-Link are in safe locations, Ethernet cable connecting them is however not - hence the need to secure it.

What do you think would be the the best approach?

  1. 802.1x with MACsec
  2. IPSec
  3. Wireguard site2site

Personally I like dot1x most as we’re securing L2 directly, but I don’t think I’ve ever seen anyone to get it working on OpenWRT.
Tunnels on L3 are probably easier to configure, but as L2 is still completely unprotected, so I guess additional hardening should take place on both devices.

What are you thoughts? Have you done any such setup in past, and were you satisfied with it?

2

Priority is always given to technical-mechanical provision (equivalent to a server room), EZS provision, etc. If the cable has technical security at the level of wifi, it would be secured similarly

3

Very true, and (fortunately for me) mostly possible. But world is not ideal, hence my question about next best thing :slight_smile:

1 Like
4

802.1x is not an option with the Turris built in ports Omnia 2020 not receiving EAP packets for 802.1x wired authentication

Tunnels are an option, but keep in mind of the performance overhead

1 Like
5

Wireless:

  • FreeRadius server with certificates and encryption

Wired:

  • OpenLDAP server
  • Radius server certificates also for wired devices
    (together with encryption this is hard punching you switch)

This both can be run on a small RaspBerry PI 4/5 w/ 4/8 GB
on top a GPS hat and a mSATA and you get also a NTP
(Stratum 0) and a small SyslogNG server for reporting
a behaviour and the Turris, the WiFi AP and you switch
have even the same time stamp!

Additional:

  • A snort sensor and server (suricata sensor and wazuh server)
    Small Ondroid and a NANO PI with two eth ports will do the job.
  • together with an addon board for GSM/LTE modem & SIM slot
    and the SMS Server tolls 3 you will be informed by a “case”.
  • One mirror port configured at your switch where the IDS is snorting.
  • On the switch between the both devices activating MacSec.