Security option disable internet LAN

Hi developers.
Just a security idea. Most of the people who go online use wifi. Now, this is usually just a few hours a day.
But if you have your router with openwrt on it connected via a Lan cable to your ISP router to get internet, why would you want to have that enabled 24/7?like I mentioned, most use wifi and just a few hours a day or so.

My idea,
Put an option to disable the connection between your isp router and openwrt if there is no wifi device connected to your openwrt.

This IMO would enhance security big time.

Other option is of course to manually turn off the router. But having this automated would be epic IMO.

You have another post with the question about how to implement this in the current version of OpenWrt.

Why do you believe that this type of feature will enhance security? I’m not following the logic, but maybe I’m just missing it.

3 Likes

Your wifi PSK is either secure, or it isn't - limiting the time it's being transmitted shouldn't affect security (or something else is seriously wrong).

2 Likes

Somebody pedantic will come along and say that limiting the operation time enhances security because it limits the attack vector, similar to reducing TX strength to reduce coverage (so they can't sit in a parking lot to hax0r t3h wifi).

Does it? Sure.. To what extent? Almost none. If anyone wants to break into your wifi network with a concerted effort, you've got bigger issues. You'd be must more effective just changing your WiFi password every once in a while, if it's a concern. Or instituting MAC Approved-lists. They can get secure, but at the cost of convenience.

3 Likes

Technically correct, but if the PSK is bad enough for this to make a tangible difference, everything is lost already.

…and MAC filters are just useless, nothing easier than to sniff out accepted MACs and cloning those.

1 Like

My read of the OP's request is to disable the ethernet uplink when no devices are connected to wifi, but theoretically leaving the wifi up and running waiting for a connection.

But if I interpreted the above correctly, this would have zero benefit since any wifi connection would then re-enable the uplink. So as long as wifi is up, anybody who manages to connect to the wifi network would then necessarily cause a reconnect of the ethernet uplink, thereby negating any potential security improvement. And this first involves someone first gaining access to the wifi credentials and/or cracking the WPA2 encryption (certainly possible, but not extremely likely for most networks with a robust password, except if the target is of high value).

The only way there can be any benefit is if the OP implements additional measures on the wifi side of things -- that is to say MAC address or 802.1x auth controls. Even still, there is no benefit to original idea since now the actual wifi auth process has increased in complexity and becomes harder to circumvent (but again, not impossible).

So, unless I am misinterpreting the OP's idea here, I'm not convinced that there is any benefit to any of this.

That said -- @Akimov, it would be helpful if you could provide some insight into why you believe this feature would increase security. Maybe I am not seeing this in the same way you are intending.

2 Likes

It is many years ago the people in this country only used WiFi for ”a few hours a day”.
Internet connection and WiFi uplink is a 24/7 requirement nowadays and even more in the future.
If I kill the WiFi my phone just switch to 4G/5G and that comes with a cost.

The manual surf time is one thing and a lot of the 24h per day wifi surf but then there are all the automatic cloud uplinks, and update uplinks and not to mention the IoT uplinks and that expect a 24/7 online uplink.

But a intruder on the wifi need to be within about 15m to even get a meaningful radio signal so it isn’t really big threat beyond visual range. In other words a intrusion on the wifi is made by your neighbors if they have the know how.
But you have already OpenWRT so the chance is (and I bet on this) that you are the only one within 15m radius that has the know how anyway.

1 Like

Imagine you live in a country where governments listen to everything and everyone. Now imagine using a VPN on openwrt. So far so good. You just surf a few hours a day. Range of your openwrt wifi is 15 meters. Then you go to sleep, government with help of isp tries to get into your router while you sleep via the internet connection.

So some sort of wake up on WiFi would be a good idea IMO

The same principle applies, either your router is secure (to the extent possible) - or it isn't (in which case you'd need to work on that). You using a VPN doesn't reduce the risk of being attacked from the outside and the idea to catch the attacker red handed, just because you're awake/ at home or even using the network during the intrusion attempt is wishful thinking, but not based on reality.

2 Likes

As @slh has already stated, most attacks come from outside your network (I.e. from the internet). If your router is not properly secured, that is an issue and it can be fixed. Disconnecting the router won’t help in your scenario (unless you have it configured incorrectly).

This feature request will literally not improve security at all and will almost certainly not be developed into OpenWrt. You could try to make some shell scripts using the hot plug functions to automate this, but it won’t do anything for your security.

This gets into the tin-foil hat territory pretty quickly. If you are really that concerned about the government or other actors trying to hack your network, the best bet is to not use the internet at all. If you must use the internet but are still paranoid about this possible scenario, just turn all of your network equipment off (manually) when you are not using it. It won’t help you with security, but maybe it will give you peace of mind.

2 Likes

If the state actors are interested in you beyond the casual snooping, I don't think you can do much to protect yourself, especially if that's your home state actors (which can enter your home when you're away, seize/bug your devices, etc).

But in this case, you can just stop and start WAN interface from WebUI when needed. If it's not important enough for you to do it manually, I guess it's not important enough to have it automated either.

1 Like

Can be done relatively easily with a script that polls known devices on the LAN from DHCP leases list and enables/disables WAN or VPN or whatever if no devices are responding.

I don't think this is a valid usecase for security though

DHCP leases will usually be too long for this to be an 'effective' lockdown methods - and even querying hostapd directly would lead to 'interesting' effects (with mobile devices sleeping aggressively). Lots of pain, no real gain.

no I mean using DHCP list as a list to do pinging with. You can see if anyone is still up pretty quickly regardless of DHCP lease if you do ping to its ip.

It might have a security impact due to the potential leak of physical presence information.

1 Like

I think a saner approach would be to disables the WAN after some time of inactivity on the LAN side. That seems easy enough. It also used to be "easy" to automatically bring up a WAN connection on demand (back in the dialup days), so maybe that can also be made to work.
I guess the main benefit in terms of security would be that you'd be secure from attack coming from the WAN while you're not using it.
It might be worthwhile, I guess, but given that most Android devices nowadays have almost constant background network activity (even when they seem to be sleeping), I'm not sure how well this would work, or rather it would require further careful consideration of what the connected devices do to make sure the WAN does get a chance to be disabled.