OpenWrt Router versus Unified Threat Management Endian

Hi all, first post here, from a newbie (but eager learner) in networking. So please speak slowly :wink:

Here's my goal : I need to secure a very small business (6 users), in a small-ish office (it is still 2 floors). The most important goal is security. Here are my specs:

Necessary requirements

  • ISP provides 500 Mb internet, so I need to support this
  • I need wifi
  • I need WPA3 entreprise (or something as secure)
  • I need "parental control" (i.e. dns/IP/url filtering), but not based on mac addresses (these are a joke to spoof, and I cannot understand why so many commercial solutions are based on this. but I digress...). It would make sense to me that the "parental control" is based on the authentication method of WPA3 entreprise, but open to whatever works best and is strong.
  • I need strong firewall

I will NOT need this

  • I will NOT allow any access to the internal network from outside (to increase security)

Nice to have

  • antivirus integrated to the network
  • I hate recurring payments, so I would prefer a solution where I buy hardware upfront, but then am not locked down with any paying vendor

I currently only have the modem/router provided by the ISP. My budget to purchase additional hardware is up to ~ 500 EUR / 600 USD.

I am naturally attracted to open source solution, mainly because I feel I can never be sure a commercial vendor did not include a backdoor (am I too paranoid?)

So I spent quite some time on the internet to try to educate myself. I have a few questions for whoever is willing to help.

  • Unified Threat Management Devices seem great to me, when I read their theoretical definition. I do not fully grasp the delimitation between a router that includes, say, a firewall and a UTM. Does OpenWRT installed on a router qualify as a Unified Threat Management Device ?

  • When searching for open source unified threat management on the internet, I landed on Endian. Can someone knowledgeable about it highlight the high-level differences between Endian and OpenWRT? Which one is more suitable in my case?

  • Can someone give advice on the high-level setup they would implement in my case. My thinking right now is to set the ISP gateway in bridge mode (effectively the ISP hardware becomes modem only), and buy a OpenWRT compatible router, plug it via ethernet to the ISP modem, and have all the devices connect to that router. Is that the best solution for my requirements?

Any suggestion/comment/partial answer welcome. Thanks a lot!

1 Like

Are you the owner of the business, or is the business owner paying you for professional IT/network support? I'll assume the former out of courtesy.

Your ISP provides a 500Mbps link. Have a read of So you have 500Mbps-1Gbps fiber and need a router READ THIS FIRST for some ideas about likely hardware requirements to support a connection that fast.

You want WiFi. Consider standalone access points for wireless networking, rather than all-in-one devices which necessarily compromise on performance to meet a price.

You want WPA3 Enterprise. That's likely to involve RADIUS and certificates and possibly more, and can be challenging to implement. It's not impossible for a beginner, but be aware of a shallow learning curve: it'll take time to acquire the necessary knowledge to do it well. That'll be some fun bedtime reading for you.

You want parental control. If you're the owner of the business, this could be met by talking to your employees. If you don't trust them, there are other problems here. However, if you still require a technical solution, one option could be a service such as OpenDNS. OpenDNS offers the capability to permit or block categories. Using it requires all your DNS to be funneled to OpenDNS and blocks for all other DNS providers (otherwise it's easy to circumvent). OpenDNS offers both free and paid-for services. There are other alternatives; OpenDNS is merely one option.

You want a strong firewall. OpenWRT uses iptables, which is a proven robust firewall. However, it's layer 3-only (to the best of my knowledge; if I'm wrong hopefully another forum member may correct me). In other words, it controls traffic based on the IP address and port number. For greater filtering based on actual traffic content, you'd need a layer 7 firewall which does content inspection. And those tend to be expensive to buy and usually have an associated subscripton as well.

You want antivirus. Windows Defender is included with Windows. I believe there are some free alternatives (can't recommend any as I don't know them from experience), but pretty much all antivirus these days is paid-for, on a subscription basis. I'm unaware of any antivirus which is sold on a pay-once model.

You want one-off payments or free, not subscriptions. How much is your time worth? Learning new stuff is great, and worthwhile, and I'd always recommend it. However, be aware of how much time you may have to devote to learning something you're not familiar with. If you're also trying to run a business, you might find it very challenging to do both at the same time.

You want open-source to avoid vendor backdoors. If you have good enough skills to audit source code for vulnerabilities, have you considered working as a security auditor instead?

From a cursory read of the Endian website, it appears that Endian offers content inspection, which a layer 3 firewall does not. In addition, it looks like Endian is very expensive and geared towards larger businesses. That latter assumption is a guess based on the coy "contact us for pricing details" button instead of an up-front breakdown of their prices. That sort of behaviour is common among vendors who sell into large enterprises. Of course, I could be wrong and Endian could be affordable. But if so, why not use that as a selling point?

Advice on a high-level setup? OpenWRT could be a good starting point, but it's unlikely to be sufficient on its own to achieve your moon-on-a-stick requirements. My notes and links above should give you enough keywords to plug into your favourite search engine for further reading on your educational journey.

10 Likes

I just wanted to say it's very refreshing to see so well-written first topic and a growing group of regulars providing quality replies.

4 Likes

@iplaywithtoys thanks a lot for your comprehensive answer!

I am the owner of the business. My development skills are decent, and I prefer to do the IT setup myself. However your point about not spending too much time on networking is very valid. I am a bit worried about that. My hope is that I can spend a lot of time upfront to create a good setup, and then have minimal maintenance to do. Say a couple hours every 6 months. Does that sound somewhat realistic to you?

Agreed, I will do that.

I do trust them... But I've come to realise that if something can be done, it will be done. They are not malicious at all, but they will click on links they should not, from emails or from ads.

Blocking all DNS providers seems hard to me. I feel it is easy on your browser to find an obscure DNS service and manually get the IP, and connect directly with the IP. Is there a good solution to avoid this? I feel like a process on the router that would do reverse DNS from the IP and check it against the list of blocked domain names would be a good solution. Is there something on OpenWRT that does this?

I feel the first step for me is simply to understand better how antiviruses work. I thought they would simply check a hash of the file against a list of known malware hashes. In that context, I don't understand how I could use an antivirus on a router with TLS enabled... My knowledge is thoroughly lacking.

Haha, I haven't. I should consider adding this to the services I offer :grinning_face_with_smiling_eyes:

Ah, that's concerning. I thought that an open source firmware was fairly blank slate and would allow me more flexibility and support future needs I might have. And certainly more than a closed source solution from a vendor whose code I cannot change, or where the plug-ins are limited. So that I can understand this better, would you be able to provide an example of a feature that openWRT cannot support, that a commercial vendor would support?

Thanks again!

A very good point. People do make mistakes, after all.

It can be challenging. It depends on what tools you have and what they're capable of. You could certainly configure the firewall to allow outbound DNS which matches your priorities and block all other outbound DNS. But to block, you would need to know further details. DNS is no longer just 53/udp these days. There are also variants such as DNS-over-TLS and DNS-over-HTTPS. If you can obtain the details for identifying unwanted traffic, you can then try to implement rules to intercept it.

I mentioned that OpenDNS isn't the only answer. Here's another possible one: in addition to intercepting unwanted outbound traffic, you might also wish to consider a content-inspecting proxy server. If all outbound traffic has to go through the proxy server, that becomes a choke-point which you can control. The proxy software may offer a feature which allows you to limit certain traffic based on certain criteria. For example, some computers or users may be permitted access to Webmail, while other computers or users may be denied. That's just one potential use of a proxy.

You could also run your own internal DNS server with integral filtering/blocking of DNS queries. A popular one is Pi-hole; there are others.

Old-school antivirus software used to do what you've just described. There wasn't - comparatively speaking - much malware out there, and it was well-known. If any malicious code reached the endpoint, the locally-installed antivirus could intercept it.

But not any more. These days we see multiple variants of the same piece of malware, all doing broadly the same thing, but each one has a different signature/hash. If that's your sole criterion for identifying some malicious code, you'll inevitably miss something. The malware has become "smart", with code which adapts itself to try to evade detection. Simple hash-checking isn't sufficient, and so the modern antivirus endpoint does much more than checking for file hashes. At least, the paid-for ones do; as noted earlier, I can't comment on the free offerings due to lack of direct experience with them.

Then there's intercepting viruses in-transit. If you want your router/firewall/proxy to detect and intercept a virus before it even lands on the user's computer, you need that device to be able to analyse and detect malicious traffic while in-flight. This is where content-inspection comes into play. It can be done (my Palo Alto PA-220 firewall does it) but not every device is equally capable of doing it equally well.

It can be, that's for sure. But that's not the same as a guarantee that it is. If you want a particular feature in an open-source product, someone might have already written something for it which you could use as-is. Alternately, if your coding chops are up to it, you can always write your own code to achieve your desired goal.

I perhaps could have chosen my words better, when I wrote "[...] unlikely to be sufficient on its own [...]". I meant rather that your requirements might not be fulfilled by a single all-in-one box running only OpenWRT; you might have to consider OpenWRT as merely one component in a larger infrastructure. OpenWRT is very good, very capable, and supports modular expansion so you can add the features you want (if those features are available). But it's not a universal panacea.

To my mind, some of the main differences between proprietary and open-source are:

  • Proprietary keeps the code hidden; the vendor might refuse to share it, or might require an NDA before sharing.

  • Open-source exposes the code; anyone can read it (no guarantee that anyone does, though, just that it's possible to do).

  • Proprietary usually comes with a financial cost, for which the customer can expect a certain level of support; the vendor is obliged to maintain and support its product. How much support depends on the vendor; some vendors offer better support if you pay more.

  • Open-source usually comes with a time cost; you didn't pay for the product, and its creators aren't obliged to support you. Instead, the typical route for support is probably a forum such as this one, where you're dependent on the kindness of strangers, and hoping that someone might know the answer to your question.

Off the top of my head, here's a couple:

  • Dedicated hardware for performance, e.g. routing/switching offloading, or cryptography. OpenWRT runs on pretty much anything, so it has to support pretty much everything, and that means doing/emulating it all in software. Proprietary technology drivers may not be available for OpenWRT to exploit, because why would the proprietary vendor reveal its "secret sauce" to the world? Recent versions of OpenWRT have introduced some degree of support for offloading, but it's very much device-dependent and isn't guaranteed to be available or work reliably on all hardware.
  • Content inspection. With the caveat that I could be wrong - and if I am I hope someone else here will correct me - I'm unaware of any packages for OpenWRT which add a layer 7 content inspection feature to enrich the firewall's capabilities.
3 Likes

You can block/intercept DoH/DoT/DNS with banIP/Adblock/firewall.

3 Likes

First off, I also want to compliment you on the thorough and insightful post. You're asking all the right questions.

At the danger of being OT here, I want to offer a slightly different perspective. A decade ago, I was a techie who ran a similar-sized small business. I realize now it was a mistake for me to worry about IT setup.

Although it was fun and rewarding, it took time from doing the hard work to think about how to advance my actual business. (I liked it because I got the satisfaction of actually accomplishing something, especially when everything else seemed really hard.)

My advice: If you're the owner, you should be focused on how to entice customers to pay you money. IT infrastructure isn't it. Consider how you can hand these questions off to someone you trust, either now or in the longer term. I wish you the best in your endeavor.

5 Likes

Here is an approach, regarding trust / cloud see these posts

2 Likes

Thanks a lot for another very insightful response.

That seems like an interesting option. Am I right in thinking though that this has to be configured on each client device? If an https connection is initiated on a client computer, then I cannot force it through a proxy from the router (or at least it will not be useful, as the proxy won't be able to decypher the encrypted content). So if client computer has admin access, this solution could be bypassed fairly easily?

Thanks a lot for this explanation. If a client device is downloading a file with an encrypted connection (HTTPS), how can the firewall do content inspection? I thought only the client computer and remote server are able to decrypt the messages content, not intermediary devices. Is there a trick that I am missing?

I agree with your list of differences. Unfortunately, as with everything else in this world, there is no perfect solution. That's the hardest thing for me to accept :grinning_face_with_smiling_eyes:

Your responses gave me great pointers for my overall setup. I'll start opening more targeted questions in this forum as I zero-in on technical solutions.

Excellent, that seems like great packages for me to review.

I will not want to do the same access controls for all users. Are there robust solutions to differentiate per user? Using mac addresses seems like it could be bypassed too easily. Is there a solution that relies on proper authentication? Or maybe I should setup different SSIDs?

Hey, thanks for that. Advice is always welcome.

I agree with you in general. In this particular case, I feel like I need a break between my previous venture and the next one. So I thought I would use that time to learn networking, as a way to learn something fun and also be useful for my next company. Better to learn while implementing something rather than just learning in abstract.

I know my idea of fun/rest is not the same as everyone else, but I am guessing people in this forum will be able to relate to that :grinning_face_with_smiling_eyes:

As with most things IT-related, the answer is invariably, "it depends".

If you have a firewall which restricts outbound traffic, it doesn't matter what the user might attempt to do on the client; your firewall can't be bypassed (depending, of course, on the exact configuration).

Two common approaches to using a proxy server are:

  • On-premise on your infrastructure
  • Elsewhere on someone else's infrastructure (e.g. "cloud").

If you host your own proxy server (e.g. Squid, Smoothwall, Bluecoat,etc.), you can configure your network like this:

  • Your firewall denies outbound traffic originating directly from the clients
  • Your firewall permits outbound traffic originating from the proxy server only
  • As a result, clients are forced to use the proxy, or forgo Internet access.

If you use someone else's proxy server (e.g. Zscaler), you can configure your network like this:

  • Your firewall permits outbound traffic originating from the clients, but only to the desired proxy service
  • Your firewall denies outbound traffic originating from the clients to any other destination
  • As a result, clients are forced to use the proxy, or forgo Internet access.

One common approach to configuring a firewall is to deny all outbound traffic by default, and then only permit the traffic you want. The idea behind that approach is that only traffic you've checked and approved will be permitted; it's easier to grant only a few things than try to deny a lot of things. As ever, the devil is in the details and you may find that your requirements suggest an alternate approach.

This is a common challenge, and can be addressed by using man-in-the-middle (MITM) decryption. How it fares with certificate pinning (developed to thwart MITM) is outside of my area of expertise, so I can't guarantee that MITM is a catch-all solution for all encryption. But it's a proven, reliable method for many companies already.

2 Likes

Yep, set up a separate VLAN/SSID for different groups of wired/wireless clients.

2 Likes

Yes. Many proxy servers and firewalls can offer user and/or device authentication, whether locally or centrally, e.g. LDAP, Active Directory, etc., to control traffic.

2 Likes

IIRC there was one of the more heavy weight projects, not sure but I think it was ipfire, that had in its documentation some info about using vpn to secure the wifi interface:
https://distrowatch.com/search.php?ostype=All&category=Firewall&origin=All&basedon=All&notbasedon=None&desktop=All&architecture=All&package=All&rolling=All&isosize=All&netinstall=All&language=All&defaultinit=All&status=Active#simple

2 Likes

thanks @jms , I'll look into it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.