I am trying to think about the security of a network secured with openWrt.
The firewall fw3 is a big piece of it. However, it operates only at layer 3, and not with all protocols. Since it’s a layer on top of iptables, I believe it only filters the protocols tcp , udp , udplite , icmp , icmpv6 ,esp , ah , sctp , mh.
Because of this, I am trying to think about the vulnerabilities of:
layer 1 and 2
layer 3 with protocols not supported by iptables
What are the risks and remediation tools provided by openWrt for these 2 categories?
Any information welcome. In case it’s helpful here are a few more specific questions:
arp is a protocol at layer 2. There is a risk of arp spoofing from the internal network. Does OpenWrt protect against it? I saw that openWrt has the arptables package. Is it used by default to protect the network?
can arp spoofing or other arp attack be performed from the WAN?
what other risks at layer 1 and 2 exist?
what risks exist at layer 3 in protocols unsuported by iptables?
what is the exhaustive list of categories of messages that go in or out of the routers that are not filtered by the firewall?
In general OpenWrt routers will not see much of the LAN traffic, because LAN to LAN traffic goes through switches without ever being seen by the router. Layer 2 traffic needs to be handled by the layer 2 devices switching it. This means managed switches with business class features.
Layer 1 is the physical medium. (Or, in the case of WiFi, the RF signal. Essentially, layer 1 is the signal bearer.) Physically, layer 1 is at risk of any form of physical interference, whether damage or theft or failure. As for RF, layer 1 is at risk of radio interference, e.g. a microwave oven, or a neighbour whose spectrum use clashes with yours. It's also at risk of interception by any device which is within range of the signal.
OpenWRT provides no remediation for any of the above physical risks. As for the RF risks, OpenWRT offers potential mitigations:
In the case of overlapping wireless signals with a neighbour's network, OpenWRT offers the facility to change the wireless channel being used
In the case of unwanted interception, OpenWRT offers the facility to reduce the transmission strength to reduce correspondingly the transmission range.
In the case of unwanted interception, OpenWRT offers a choice of encryption methods so that if someone does intercept the signal it should be difficult for that person to decipher the plaintext signal.
Old school appletalk? Old school Novell IPX / Netware or whatever? But basically none of those packets are going to get forwarded from WAN/LAN or back and none of the will forward over the internet to the WAN anyway, so you're limited in attack to the first upstream device, or malicious devices on your LAN.
I am not entirely sure what you are questioning. I think it's obvious that a firewall operates at layer 3 and above, given the definitions of the layers in the OSI model.
Or maybe you question the fact that not all layer 3 protocols are supported by iptables? This information is on the man page of iptables. If you think about it, it would be a fairly tall order to take care of all existing layer 3 protocols.
As I said, from the LAN.
These are questions, I am not delivering any information.
Ah, that's excellent news. Thanks for letting me know.
@iplaywithtoys thank you for the explanation. That makes sense.
I see. There are several potential risks with ARP spoofing, from a malicious device on the LAN (e.g. intercepting communications between client and router by impersonating the router and then passing them on the real router), and I was curious to see if OpenWrt had some security features against it. Note that I am not suggesting that there should be anything specific (I am not familiar enough with this issue to have a relevant opinion), but I was curious to learn more. Did you mean to say there is no security feature against it in OpenWrt?
Device LAN A tries to ARP to find the router. Device LAN B sends a fake ARP response claiming to be the router while Router sends a real response. Does the Router have any way of knowing about the fake ARP? The answer is no. The fake ARP simply doesn't travel down the wire to the Router, because its destination MAC is the MAC for LAN A and the switch knows to send those packets to the port that LAN A is connected to.
So there's no way to address the Layer 2 security risks from the Router. You HAVE to address it in the Switch. Advanced business class switches can simply block ARP or NDP packets that claim to be from the router unless they come from the port that the router is connected on, or unless they have the correct MAC address. In fact you can block fake ARP/NDP from a whole list of important machines, like file servers, secondary routers, web servers etc. For example the TP-Link T1600-28TS has these kinds of features. That's the only way to address Layer 2 security issues, since only the switches even know about the false packets.
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.
All protocols are supported, you just have to use a number instead of a name.
The only layer 1 vulnerability I can think of is getting poked in the eye with a cable.
Layer 1 has to be fully physical security right? Tampering with cable etc. I don't think OpenWrt should be expected to deal with this. Happy to be educated.
@dlakelan thanks for your explanation. I understood what you meant, but I have in mind the scenario where there is no extra switch, but the switch is part of the router. It’s on the same device. I am also wondering about communication on an SSID (wireless, so no switch).
In these 2 scenarios, I think the router could know about the spoofed arp packet, and potentially do something about it?
you can turn on bridge iptables and arptables and do something about it if the bridging is in the kernel bridge. It's a mistake to think of the switch as "part of the router". Physically they're all in one box, but these all in one devices are equivalent to a router CPU wired into a low-function managed switch. If you buy a cheap managed switch (whether it's physically built into one box, or it's a separate box) you don't get these kinds of security features built in. If you want those security features you'll need the more expensive managed switches such as I mentioned.
OpenWrt firewall operates based on the ingress/egress interfaces.
So, you can allow only whitelisted traffic rejecting everything else.
That should filter out other protocols.
Yes, I think it's the right thing to do and I am keen to do that. My interpretation of @mikma was that it was the default behaviour of fw3. Is my understanding correct?