OpenWRT, Ubiquity USG, other security gateway solution?

[jkaetz]

I know there are some IT security and Ubiquity users here. I discovered that I can completely cut out AT&T's gateway from their fiber service and currently have a Meraki MX60 with OpenWRT doing the job but am investigating options. Looking for something that can handle gigabit traffic, be a VPN server, do deep packet inspection and doesn't require an ongoing software subscription. Any reason to move away from OpenWRT to something else? Most of the house is wired ethernet with a couple routers turned access points strategically placed.

 

[DoggyDaddy]

Wish I could help jkaetz but...

 

[qwerty]

May want to check out pfsense from netgate. Maybe the 2100? I have been using these devices the past few months, pretty impressive.

https://www.netgate.com/solutions/pfsense/netgate-2100.html

 

[cam4usa]

It depends on what type of entity you wish to be secure from:
- Next door average Joe neighbor
- Script kiddy / entry level trouble maker
- Average cybersecurity expert
- Advanced cybersecurity expert
- Your ISP
- Average Nation Adversary
- Advanced Nation Adversary
- Uncle Sam

It should be obvious the farther down that list you want to be, the more difficult/expensive will be your pursuit, some would argue, futile. That being said, layered security is always best. I suggest a VPN, FW, Secure devices (L4+), secure (L3-). Personally, i have a VPN (not all are the same), Cisco ASA FW, Cisco SW for L3, updated devices, secure WiFi, and SW FW on most devices. That should be more than sufficient for 90% of that list, however, I would argue it would be nearly impossible to secure yourself from all entities on that list.

What is your desired goal, budget, skill level? I can give you a better idea from there.

 

[jkaetz]

Wish I could help jkaetz but...

I can translate. Unlike Cable companies that are required to let you purchase your own equipment, AT&T Forces a router/wireless device on all their fiber customers. Rather than have to do a double router situation I discovered that, for now, there is a way to cut out their device and insert my own. Right now that device is a repurposed vended security focused router/access point running OpenWRT (Open source router OS). I'm wondering what level OpenWRT is when compared to some other vended security focused solutions.

May want to check out pfsense from netgate. Maybe the 2100? I have been using these devices the past few months, pretty impressive.

https://www.netgate.com/solutions/pfsense/netgate-2100.html

Thanks, I had seen pfsense mentioned quite a bit while researching the AT&Tectomy.

It depends on what type of entity you wish to be secure from:
- Next door average Joe neighbor
- Script kiddy / entry level trouble maker
- Average cybersecurity expert
- Advanced cybersecurity expert
- Your ISP
- Average Nation Adversary
- Advanced Nation Adversary
- Uncle Sam

It should be obvious the farther down that list you want to be, the more difficult/expensive will be your pursuit, some would argue, futile. That being said, layered security is always best. I suggest a VPN, FW, Secure devices (L4+), secure (L3-). Personally, i have a VPN (not all are the same), Cisco ASA FW, Cisco SW for L3, updated devices, secure WiFi, and SW FW on most devices. That should be more than sufficient for 90% of that list, however, I would argue it would be nearly impossible to secure yourself from all entities on that list.

What is your desired goal, budget, skill level? I can give you a better idea from there.

Likely somewhere below average cybersecurity expert and above the ISP. I have no delusions of really ever being secure from an alphabet agency or the ISP but I intend to make the ISP do it on their back end equipment and not on the box that they provide.

I suppose my real question is how does an open source OS like OpenWRT compare to vended solutions from netgate, Ubiquity, and the like. I have a healthy understanding of networking topology and security exploits knowing full well that every piece of software has some holes and it's a question of who finds them first. I want a piece of equipment that will do routing/FW duty and provide me a VPN back into my network when traveling without just opening the door to anyone waltzing by the subnet. With a pair of three year olds in the house and an ever growing set if IOT things I'll also likely look into some type of traffic inspection in the future as a sanity check on what the kids and devices are doing. My philosophy with internet security is the same as when I'm out and about, try not to stand out and keep aware of the surroundings.

 

[JettaKnight]

May want to check out pfsense from netgate. Maybe the 2100? I have been using these devices the past few months, pretty impressive.

https://www.netgate.com/solutions/pfsense/netgate-2100.html

That was my #2 choice. My coworker has his set up to have an AP look exactly like the work network, then it has a VPN... seamless transition between the two places.



I went with a Ubiquity Edgerouter; I've been happy with it, but I certain haven't pushed it to the max or optimized it.


I believe all three of these will do what you want; OpenWRT has been around a long time and really solid by now. The Ubiquity has a solid fan base, so they'll be plenty of examples and tutorials to do whatever you want. PFSense has a lot of plug and play options.

 

[qwerty]

Just an aside.. pfsense is open source as well, so lots of support both from Netgate and users. Being open source was kind of a deciding factor as I feel many eyes helps to make something more secure. I came from FortiGate and Cisco before that, and really have had fun with it.

We also have a lot of Ubiquiti devices in play, and our current backup is an EdgeRouter and that is a solid choice. UNMS has been great for management of our devices.