Security of OpenWrt vs OPNSense vs desktop operating systems

A number of operating systems can be used to run a router:

  • Embedded operating systems such as openWRT

  • Firewall operating systems such as opnsense, pfsense, RouterOS, EdgeRouterOS, etc

  • Desktop operating systems such as FreeBSD, Debian etc.

Purely from security standpoint, which of these options is better focused on security, and overall more secure?

I am not limiting the hardware. Suppose you can use either embedded or x86 hardware as better for security.

For example, OpenWRT uses Dropbear rather than OpenSSH. These are different software. A zero day in each may not affect the other.

Or OpenWRT has a small footprint compared to Debian. But on the other hand Debian is much more thoroughly scrutinized.

define security ?

of the router, the clients, the network ... ?

2 Likes

Suppose that you are a system administrator. Your boss asks you to secure a server (with no more than 5 clients, so that OpenWRT is relevant) with an edge router that is facing internet. Clients access this server over internet using VPN. There can be hostile actors with knowledge in (hardware, boot ware, and OS) vulnerabilities and zero days attacking this router. You want to minimize the chance of intrusion.

He asks you to use the best hardware and software to secure this server, with up to 500 usd cost.

The performance, ease of use etc are not priorities. The security is for this edge router primarily. You can assume clients are provided with secure machines, and the server runs a Linux operating system with proper SELinux policies etc.

What hardware and software do you choose?

(This is not my situation. I am just clarifying).

The bottleneck is not really the system, but your own knowledge and effort.
Choose the one which you know better and/or want to study in detail.

If you have Linux-related background, it's wise to use a Linux-based system.
With a proper level of understanding there shouldn't be much difference.

Although note that some features like SELinux are basically distro-specific.
So, you can effectively use it only on Fedora/CentOS/RHEL.

On the other hand, your task appears to be limited to routing/firewall/VPN.
In this case, OpenWrt should fit well enough.

3 Likes

Ok thank you.

I had the impression that OpenWRT is focused on wireless functionalities and LAN-level security (assuming the environment is to some extent isolated), and less so for serving as a firewall on edge at lan-wan interface.

It seems I was wrong.

Actually it's the opposite, OpenWrt restricts the WAN-to-LAN traffic the most by default.
OpenWrt is also highly configurable, so security hardening and advanced routing aren't a problem.
In addition, it supports a wide variety of VPN protocols, both old and modern ones.

1 Like

In the area of security, high configurability and supporting old methods and wide variety of options are not good ideas.

But yeah OpenWRT is generally considered well maintained and secure.

Protocols can adapt/evolve over time by supporting new authentication/encryption algorithms.
Modern solutions are generally preferable, unless you are forced by external factors to use legacy ones.
Actually, OpenWrt was one of the first platforms to provide official WireGuard support.

1 Like

The real issue there is that OpenWrt is just like other Linux distributions.

But main benefit is that typical OpenWrt router power consumption.
A typical desktop machine costs $500 and it's power usage is like 100W.
A typical router with OpenWrt costs $50 and it's power usage is like 5W.

So if you're using a desktop machine as a router:

  • first will cost much more
  • second power bill for power it 24/7

Here is easy calculation.
Desktop 24/7 100W - for one day this is 2.4KWh, for one month this is 72KWh, for one year this is 864KWh.
Router 5W - for one day it's 120Wh, for month will be 3.6KWh, for year will be 43KWh.

That's why many persons (including me) using OpenWrt - because from security point it's like all other Linux distributions.

2 Likes

There are important differences between desktop and embedded operating systems:

  • How many lines of code is OpenWRT?

Linux kernel is some 28 million LOCs. OpenSSH alone is hundreds of thousands of LOCs. Huge attack surface.

  • How many security researchers work on OpenWRT? It’s much less audited and scrutinized.

  • Low power consumption requirements could mean trade offs in security?

For example, an embedded device may not have enough entropy.

  • OpenWRT is dedicated to wireless, routing and security.

About LOC - it's impossible to calculate since OpenWrt is built FOR device. And some devices may have some capability, other - others. Short example is OpenVPN - by default ovpn isn't included but you quick may add it with opkg. Next - Linux Kernel may be 28 MLOC, but this is with all architectures and all network drivers and so on. But OpenWrt doesn't use everything - for example there isn't Power9 router devices or devices with NUMA.
Same is with OpenSSH... actually this is good software, but it's too big to fit in embedded environments with 300MHz single core CPU, 32MB of RAM and 4MB of Flash. That's why OpenWrt uses Dropbear. And it's security is great!
https://www.cvedetails.com/product/33536/Dropbear-Ssh-Project-Dropbear-Ssh.html?vendor_id=15806
as you can see it's going good. The benefit for OpenWrt is that doesn't use mainly x86 architecture but uses ARM and MIPS arch.

But if there is some security issue - OpenWrt devs publish update ASAP. So most of time you only need to download and apply update.

Security researchers that works on OpenWrt are same number as researchers that works on Linux and users apps.
No - low power consumption isn't trading off security. But mine pocket benefits of this! And not only mine!

About entropy - technically OpenWrt didn't have entropy issues. It's all dependents from hardware manufacturers (some have hardware random generator) and Linux kernel.

While security for home users is in general good compared to consumer products much of your concern will most likely boil down to knowledge, maintence, functionality and to some extent hardware.

OpenWrt achilles heel is in my opinion maintence, due to the nature of target devices you normally can't update induvidual packages, updates can be disruptive (POLA - https://docs.freebsd.org/en_US.ISO8859-1/books/handbook/freebsd-glossary.html#pola-glossary ) and requires in many cases manual intervention more so than other distributions. This may contribute to do the "set it and forget it" approach simply because it takes time. What you might also want to consider is that functionality can be severely limited due to targeting "low-end" devices / one size fits all approach depending on application.

If you look at dedicated distributions such as opn/pfsense etc maintaince usually requires very little effort and because they usually target faster and more powerful devices you usually see a substantinal difference in terms of functionality, logging and reporting.

Using a generic distro such as FreeBSD, Debian etc is by far the most flexible solution but usually require somewhat more knowledge to configure and maintain, there's also less "integration" of tools ootb (no webui, reporting etc). They can be just as secure as anything else depending on configuration. It also boils down to what you're comfortable with, I personally don't mind using a "full" distro compared to appliance like but I'd also say that they don't exactly replace each other either as it all depends on use case.

One more thing to consider is that more services also (in theory) may serve as more potential attack vectors. While many services wont face "the Internet" at all and your network is most likely not interesting to hack anyway I wouldn't put too much weight on that aspect for a home user.

As for hardware you might want to pay attention to vulnerabilities such as meltdown etc, in all honestly I highly doubt it'll be of a concern for 99.9% of all home users but you should however try to avoid using "broken" hardware if possible.

I personally run FreeBSD as "router/firewall OS" and OpenWrt for wireless APs simply because that's what I'm comfortable with and it's relatively low maintence and offers great flexibility. I do run a bunch of standalone OpenWrt routers/gateways but they're becoming time consuming and will most likely be replaced with a SBC such as the RockPro64 paired with a dual port Intel NIC.

2 Likes

Many distros these days also targets ARMv7+, the only exception in general is firewall because there were very few devices that offered suitable hardware and were affordable. Also, any distro will publish security updates ASAP and "download and apply update" is usually not really that effortless.

"Security researchers that works on OpenWrt are same number as researchers that works on Linux and users apps." I think that you're trying to say is that OpenWrt is a downstream user just like pretty much any other distribution. This however might have both pros and cons as OpenWrt sometimes ends up having custom software solutions that aren't reviewed as much/frequently.

2 Likes

Well - distributions are just compilation of Kernel, drivers and some userland software.

So technically same happens on OpenWrt more or less. Sometime there are very custom software, but reasons about it here is limited resources where OpenWrt runs.

1 Like

I agree with what you say. It seems to me, embedded devices (running OpenWRT or other OSs) should not face internet due to their limitations. The edge router is best to be a flexible security focused OS, eg, OPNSense, or a full OS eg OpenBSD or a Linux distribution running on a thin client mini PC. I am still undecided between OPNSense and a BSD distribution.

OpenWRT of course is a very good embedded OS, and the list of CVEs linked above speaks positively of its security. I would probably blame hardware, heterogeneity and limited resources.

Good question: when I connect to AWS or Google or Dropbox etc, what sort of operating system handles my request? In other words, what these corporations run on their data centers on edge?

Usually a customized variant of BSD or a Linux-distro
Amazon have their own flavour, Netflix for instance runs both FreeBSD (for serving data) and Linux etc
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html
Many vendors doesn't disclose due to security concerns.

2 Likes

I summarize the post answering the question on secure firewall and router operating system for others who might be interested:

OpenBSD>>FreeBSD >>OPNSense/pfsense >>OpenWRT.

The first two work only if your needs are basic. For advanced networking, customize 2 or use 3. Keep 4 for WiFi and embedded inside LAN.

If you want to minimize the chance of intrusion your first task is to setup a proper concept of multi layer security that ensures that if one layer is breached it will not impact the other.
E.g. separation of Firewall and VPN gateway, Containerize Apps, Dedicated user authentication for Network and Apps,....

2 Likes

True, defense in depth is good.

However, I note that each layer must still be properly secured. Otherwise, if implementation in each layer doesn’t adhere to good security practices, the overall security would still be weak even if layered.

Sometimes developers working on each component pass a common goal to those building other components . This is dangerous.

Don't you wish a security auditor with a love for router firmware would suddenly appear.

I have always been happy with security updates from OpenWrt, and I think my expectation has always been "it's up to you", the same as administering a server, an abstraction lost sometimes.

When was the last time there was a big security issue in OpenWrt that wasn't quickly fixed?

1 Like