Added the following to the ‘this would be missed out on if not going for Omnia’-list:
As a side note, lots of vendors are locking down their firmware to comply new FCC rules, so there will be lot less opensource and 3rd party supported routers soon…
Problem is, that it is more easier to lock down bootloader, then wireless code…
For example TP-Link will abandon opensource, Netgear and Asus will lock down only wireless part, Linksys will lock down all models, except WRT series…etc…etc…
Hardware and software wise, Omnia is worth every penny you paid for it, it has open source firmware and hardware as well. Powerful HW does not come cheap and if you want pure 1Gbit/s NAT performance, most of the HW capable of it is even more costly than Omnia and all its additional Perks combined + you have to usually buy seprate “support contract” to get firmware updates as they are pro grade appliances already.
There is nothing like Omnia in consumer market available today…
3 Likes
For me, the alternative to the Omnia is a full-up gateway PC, which is my current solution. I’m running Fedora on it, trying to keep my increasingly complex home IoT device LAN (lights, outlets, appliances, cameras, etc.) completely separate from everything on my home LAN, yet still providing as-needed secure (and logged) limited access to the very few IoT devices needing it.
I’m not a security professional, so I’m always concerned I’m leaving something out. Distros (including Raspbian) tend to be extraordinarily (criminally?) insecure as installed. I need the security emphasis provided by Turris far more than I need the Omnia hardware. Though getting the hardware will allow me to retire both my power-hungry gateway system and the WiFi AP connected to it (the AP does not connect directly to my home LAN).
Yah, Safety of the Turris system (e.g. swift/automatic responses to zero-days and transparency of what is going on by its opensourceness) is very nice and probably worth it in and of itself (both the price and the wait 
).
This I do not get, how is that?
if you’re in US and want to pay monthly instead of one-time fee you can get:
https://roqos.com/roqos_core.html
The best approach is to learn a little about “system hardening”.
For example, Red Hat has a large financial, health and government business, and needs to meet stringent platform “Information Assurance” and “CyberSecurity” requirements just to be ready to run any application that handles private or privileged information.
Nearly all of these requirements concern out-of-the box (freshly installed) configuration that is insecure, mainly a bunch of really sad default values in various configuration files.
These configuration errors (with recommended remedies) are collected and shared in a variety of ways, the most common of which (especially for Red Hat systems) are called STIGs (Security Technical Implementation Guides). A freshly-installed Red Hat Enterprise Linux system will typically have ~200 STIG items that need to be remediated (fixed) before the system can be used in even a vaguely secure environment.
There is an endless amount of information available about hardening a system to meet minimal security standards: Google is your friend.
My home LANs and my personal data are important to me, as is the need for none of my systems to ever be shanghaied into a botnet, so my home gateway PC is fully hardened, and includes stateful packet filtering, rootkit scanning, filesystem protections, and massive logging with automatic log analysis that generates alarms that go to my phone.
Windows 10 and Android are a PITA to harden, so I make sure my gateway does its best to protect such systems as well.
But why is system hardening needed? Because the general consensus appears to be that making things “easy” for users is far more important than making things safe and secure.
Unfortunately, this same lazy, negligent attitude has spread into the IoT (“Internet of Things”) universe, which has no “users” in the conventional sense. Your gateway / router / AP / cable modem is an IoT device, and many manufactures ship them with the most common features enabled by default. Most users have no clue that this is inherently insecure.
Last week’s massive (largest ever) DDoS attack against KrebsOnSecurity was performed largely by compromised IoT devices.
I expect CZ.NIC to not make such mistakes on the Turris Omnia!
2 Likes
Defaults are for users and not for compliance with some requirements. Putting your device in forced off and never turn on again state because your system disk is full is not a solution for normal users but still a useful requirement of PCI-DSS et al. Disable IPv6 is another example.
Some distributions achieve their security by ignoring security in @BobC’s definition. Auditing in TAILS is an example for something you simply do not want. If you go further you cannot take the Omnia or any other SOHO WiFi router as a secure device. You would need auditing and password change enforcement and other things. These are not possible with OpenWRT or other home user oriented devices.
If you have or want to meet the requirements of some policy then the Omnia may be the right device if you do the software yourself but not by default.
If you simply want some wifi router that brings useful and quite secure defaults then it is possibly the best one. The web interface will force you to set a custom password on first setup, require a custom wifi key etc… even the sysctl settings are a bit restrictive.
Hiding the complexity of secure-yet-functional configuration is a key part of the user setup process. Everything I’ve heard so far indicates that CZ.NIC completely understands this.
I don’t know what your systems do for disk full, but mine go through several layers of automated purging and persistent operator warnings before resorting to a forced shutdown (which always gets the attention it deserves). I set my space warnings way low, at 75% full, to give me lots of time to do the simplest fix of adding another large, cheap disk (which is all my home systems need).
To make security dead-simple, my gateway runs strictly from a DVD that I burned when my configuration became stable. The hard disk is mainly for caches, spoolers, and logging. Non-volatile boot media is one of the best security measures you can do, and for fixed-purpose systems like gateways, it’s also dead easy. I apply and test updates via a temporary overlay filesystem, then burn a new DVD.
But it sure does boot slow, which is OK for a home system.
Agreed! I am trying exactly that (looking into / supporting / ordering the Omnia - and discussing it here - is one of my steps in that process).
The RedHat example is illustrative I presume (in an expert heuristic fashiom)? I understand from it that a lot of out-of-the-box configurations are weak (so weak that such a company spends resources on collecting/addressing them). So maybe I should pay attention to it too (80:20% ratio does come into play here, albeit security may require another ratio in many cases - I’m thinking nuclear power plants …). So yah, I realize hardening deserves resources spent on it, but it is hard… so hard RH has build a business case on top of it. personally I must find the balance to getting reasonably secure and spending all my time in folding tin-foil hats (for my pets).
There I am thinking Google was the enemy… (I get the point info should be available online in abundance, and I am already informing myself, but it is a lot to take in - and there are also funny things called “work”, “family”, “household”, etc. that demand attention… the nerve…).
Exactly! Seriously, that is exactly what I am striving for (and I am jealous that clearly you have your stuff way better organized than I have…). I keep simply stranding (I’m already proud of myself that I am not (read: will not be) using any back-doored router from US soil, having NSA backdoors build-in and the likes. I’m also proud that I understand that injected add-banners are a nono when it regards security too)! For instance I try to keep my systems patched up… But clearly there is much to learn for me… Please - as you seem very knowledgeable in this area - do see my Stack exchange questions about CVE follow-up… as I am trying to get my head around it, but I can’t seem to get the hang of it (and the answers/replies generally make things worse - probably due to lack of knowledge/experience om my side).
I’m not sure wheter it is the explicit deeming of being more important, per se. I think the capitalistic/commercial system furthermore reinforces it. Assuming humans are lazy by nature, making/building/selling a very secure (consumer) system that would take the (average) consumers a long time to configure themselves will probably not sell much (as they think it is “stupid product… oooh look that one… It is shiiiiny!” =click= buy). Albeit until they start feeling that their insurance costs rise as their sports-habits (or lack thereof) are being sold on e-bay to health insurance companies… maybe then focus will shift… but for now most people simply seem to not care (let alone spent their hard-earned money on it). So yah, lazyness lies at its core, but the socio/economic system does not help (in other systems this may have be different, but then people will be forced to be secure - which many liberals would oppose to / who will decide what amount is is enough and what should be protected from who etc.) But let’s not get into politics too deep… Luckily for people like us this is where open source projects come in - able to break with general mass way of doing things, but still powerfull enough to actually make a fist!
Keeping my fingers crossed (surely it will - as it never is - a 100% coverage, but surely it will be better than your average router, as security/follow-up is one of the main selling points of the Turris principle. If I am not mistaking)!
I guess this is what it will boil down to indeed.
That is so cool!! (no sarcasm implied). I’d like to do that too… but were to find the time… However, “dead easy”? I dare you to explain this to my mother! Surely I could do it, if I found the time, but the average person - I doubt that…
At any rate thanks all for your insights! It is appreciated!
P.S. For anyone knowledgeable regarding security; See this shameless plug of my CVE follow-up question!
How do “FCC” rules influence territories outside those controlled by the USA?
Wouldn’t more European (such as CZ.NIC), or Asian/African organizations stand up to fill the gap (although I think EU governments - and probably most others too - are trying to take control of the internet bit by bit (pun intended 
) too - for better or for worse, I’ve not decided on that yet)? Turris Omnia being one (first) of those initiatives?
Or a re-rise of the home-build routers (unless chips having “hidden”-build-in stuff will be the norm; most of us being dependent of a chip oligopoly)? etc.
For example, as a general rule, companies don’t want to do different products for each region if they don’t need to. Instead they try to do one product that fits/works for all regions.
Hmm yah, sounds logical indeed.
It (that commercial strategy) does assume that they will not loose a too big market share (which - in this case; with all the ignorant / ‘I don’t care’ potential buyers - probably indeed wont be the situation though probably).
But in that sense it could also open up the market for open systems (outside the US) too,right? As it may drive the people that are currently running, say, tomato/openWRT-flashed hardware (just an example to make the point) towards projects such as the Omnia? More market means more initiatives (usually). So it becoming “illegal” in the US to take control of one’s own hardware, may yield an opposite effect in the rest of the world; albeit the effect may be small…
Well, some manufacturers have worked around this problem, with locking down only wireless radios part of the firmware, Asus is one example…
U.S. market is rather big to lose,
It is actually real simple choice, you don’t comply with FCC rules, you are not allowed to sell or import your gear and thats it…
Reasoning from a US perspective, yes (and I do not counter argue that). My point however was:
If conventional router-builders (such as ASUS, Lyncsys, etc.) indeed give-in to the FCC rules in a desire not to lose the US market, and they additionally want to cling to their strategy of having only one (now closed) style to be marketed globally (as pointed out by @white above), they would no longer offer the option to freely install one’s own OS anymore (even though in 50% of the world that would be perfectly fine legally).
This would tear a gap in the world-market that could possibly be successfully filled by a European (or any manufacturer even that chooses to ignore the US rules). Ofc., relatively speaking, the gap wont be as big in comparison to the router market as a whole, but it may lead to Omnia (and the likes) te become very successful (in this specific niche) in those parts of the world that are not as restrictively controlled by the government as the US is. Albeit they would loose the US as a target market (but that one will be / is fairly saturated with the conventionals anyway). I mean… why not?
Ooh I just read the following article that might just be of interest for you @BobC (although it probably contains nothing new for you, I still wanted to share it with ya):
It it resonates quite a lot with the idea that you are expressing (at least it immediately reminded me of your posts on here)!
Even the european market has rules like FCC.
https://discourse.labs.nic.cz/t/eu-directive-2014-53-eu/120/7
In the end a more modular approach will circumvent both. Non-wireless devices with miniPCIe (or NGFF) slots are not restricted. Getting modules may get harder and is more expensive but also more flexible.
This post can be marked SOLVED!
The Omnia It is so the better router choice, on so many levels!
Sure it may still be a little rough around the edges, but TBH there is nothing like it (other than maybe home-build)!
http://images.fashionnstyle.com/data/images/full/122571/mr-robot.jpg
(B.t.w. excellent t.v. series for all us “hackers”!)
2 Likes