CERT, a US Federal government agency tasked with cyber-security research, has issued an alert advising consumers to stop using various models of Netgear routers. These devices are subject to a trivially simple command injection exploit. Ars Technica has a nice overview of the matter.
Normally I’d have literally nothing to say about this, since it simply doesn’t impact us. Wanna know why it doesn’t impact us?
We don’t use a consumer router that runs closed source firmware. We don’t think that you should either. In fact, you probably shouldn’t let your friends and family use that junk either.
Perhaps this holiday season, and all of the travelling & visiting that goes along with it, presents an opportunity to help someone unsuspecting secure their home network.
Yes, it’s time to revisit some preaching about about the joys of open source and a piecemeal approach to home networks.
My Preference: SmallWall
Thought I surely do admire PFSense, I still run SmallWall as our primary router. SmallWall is a fork of the now defunct m0n0wall project. Based upon BSD, SmallWall is currently maintained by a small but dedicated team that includes Lee Sharp who is located right here in Houston, TX.
The roots of the software go back over a decade, so the code has been well vetted. The documentation is also quite good. Community support for the software, provided largely via a set of forums, is very good. The software is breathtakingly simple, reliable, and effective.
SmallWall doesn’t run on a typical consumer router. Since it’s built on BSD, it runs on an x86 based platform. You can make a SmallWall router using any old PC that you have hanging around, as long as it has two network ports.
We run the software on a small single board computer with several network interfaces. It was recycled so it cost us literally nothing. It handles our 50/10 mbps Comcast service easily.
Netgate is a great source for this kind of hardware, although their focus is now dominated by pfsense, since they now host that project. pfsense is awesome, but may be more that most home users require.
Other Open Source Routers
In various projects in the field, I’ve used other open source routers with great results. In recent years I’ve come to respect DD-WRT, which is an open source software that runs on a variety of low-cost router platforms.
In fact, DD-WRT can be loaded to many of the Netgear routers listed in the CERT advisory. Netgear runs a community called My Open Router that focuses on open source firmware for their product range.
I’ve also used a number of Buffalo routers that come loaded with DD-WRT already installed. They cost a few dollars more than the same hardware running closed source firmware, but it’s worth it for the added functionality and other benefits that come with using open source firmware.
Advantage Open Source
The advantages to using open source are many. When the source code is open it’s readily available for anyone to examine. That means software developers within the user community can collectively ensure that it’s well-designed, and properly implemented. Given a larger developer team, problems are easier to catch and resolve.
Taking Up The Challenge
The problem is that only a small fraction of the people who actually have home networks know anything about securing those networks. That’s where you come in! Given the fact that you’re reading this you can probably help.
As you make your way around family and friends this holiday season, inquire about their household IT. If someone looks like they could use some help, offer it! In a nice way of course.
Friends don’t let friends (or family) hang around in ‘bot nets.