December 14, 2007

PacketProtector turns SOHO router into security powerhouse

Author: Joe Barr

PacketProtector is an embedded Linux distribution based on OpenWRT, the first popular distribution designed to run on a number of wireless routers commonly found in SOHO settings. Like X-Wrt, which we reviewed earlier this year, PacketProtector extends OpenWrt by offering additional functionality to enhance network security right out of the box.

PacketProtector's forte is the ability to use properly prepared USB drives for swap and storage. At present, the only routers supported are the Linksys WRTSL54GS and the Asus WL-500g, in either the Deluxe or Premium models. PacketProtector.org provided me with a loaner Linksys WRTSL54GS on which to do the review. I used both an external USB IDE drive and a USB key flash drive with the router.

As noted on the project's home page, flash drives have a limited life. They typically fail after 10K to 100K write operations. Since a swap space is write-intensive, it makes sense to use an external USB hard drive rather than a flash drive.

Installation is a three-step process. First, you have to download and install the PacketProtector firmware on the router. Before doing so, read the warning on the PacketProtector.Org home page: installing third-party firmware will void your warranty, and it is possible that you may brick your router. Next, you need to install the PocketProtector files and directories on the USB drive. The third step is to connect the USB drive to the router. Be sure you do this step last.

The PacketProtector.Org site has complete installation instructions that take into account both the router being used and the platform you're installing from, be that Linux, Mac OS X, or Windows. The loaner router already had replaced the original Linksys firmware with PacketProtector, so I didn't have to do the first step. I did do a reinstall of the firmware, however, which is a similar process. It is almost trivial to do using your browser and the router's Web server. Whether you're doing the first or a subsequent install, I highly recommend the first thing you do afterward is to change the default root password.

The project's site suggests downloading the USB tarball, decompressing it, and moving it to the USB drive. I found it easier to simply open a terminal, cd to the root directory of the USB drive, then decompress the downloaded tarball from there using the command tar xzf ~/packetprotector.tar.gz.

At that point, and prior to connecting the USB drive, I replaced my own wireless router with the PacketProtector device, connected the cable modem to the WAN port and my desktop machine to one of the four available LAN ports, and powered the new router up. I was off and running with full Internet access and the ability to connect to the router via SSH or HTTP. I signed in as root using SSH and the default password, and was greeted with an ASCII logo screen.

Once I changed the root password, I ended the SSH connection and logged in after pointing my Web browser at https://192.168.1.1. At that point, on the first boot and prior to attaching the USB drive, the Web admin console looked very much like WRT's, and included menu options for Info, Status, System, and Network. I logged off, attached the USB drive, and rebooted.

122786-thumb.png

Back at the PacketProtector Admin Console, I saw that the options available had been extended considerably. In addition to all of the original menu options, the console also had options for VPN, IDS, IPS (Intrusion Prevention System), Proxy, CA (Certificate Authority), and Users.

The firewall, IDS, and IPS are all configured and running out of the box. No firewall logging is done unless you enable it manually. Lead developer Charlie Vedaa explained that, "To enable it, you need to insert the ipt_LOG kernel module (insmod ipt_LOG) and add the '-j LOG' target to the rules you wish to monitor."

Clicking on the IDS option displays an empty Snort log, and menu options which allow for the selection of the Logs or Settings. Clicking on Settings, I saw that only two rule sets -- local.rules and virus.rules -- were available. If you want to add additional rule sets, you must download them from snort.org, copy or move them to the USB drive's /packetprotector/etc/snort/rules directory, and then return to the IDS -> Settings admin page. The newly added files should then be visible, and clicking the Enabled radio button and then the Submit button will activate them.

Selecting the IPS option from the Admin console displays a page identical to the IDS selection, except that it's for Snort-Inline rather than for Snort. Snort-Inline comes out of the box with rule sets for backdoor, local, and web-client enabled. Also present, but not enabled, are rule sets for bittorrent and examples for testing Snort-Inline.

The Proxy option allowed me to view the logs, check the settings, or conduct antivirus tests by trying to download files known to contain a virus. The tests worked, so I went to the Settings tab and enabled the Dan's Guardian content filter to block porn and gambling. As you can see from the figure, even surfing for porn on Google activated the filter. I also clicked on the Check for ClamAV signatures button, and was rewarded with a download of several hundred signatures, though I don't really know what they are doing for me.

The VPN option informed me that there was no certificate for the root user, and invited me to either create a certificate for root or visit the Users option, add a user/passphrase combination, then log out and log back in as the new user. After doing that, the VPN page provided instructions for downloading the OpenVPN source code, told me to compile and install it on my client, not on the PacketProtector server, and gave me links for the four files required to configure OpenVPN correctly for my user and site after I had finished the installation. I put this task off to tinker with later.

 

I did notice a bug in the Advanced Firewall while testing that caused connectivity issues on IRC, but I understand it is already fixed, and the new code will be included in the next release. I also found the slowness in booting PacketProtector to be a bit annoying. Vedaa told me that more likely than not, I was experiencing corruption of the ARP cache on my desktop machine, and that I could work around the problem by issuing the command arp -d 192.168.1.1 following a reboot. I was getting about a two-minute delay before being able to use the LAN after a reboot, and I'm told it should only take about 30 seconds. The fix did improve my boot time, so give it a try if you run into similar delays.

You can use OpenWRT non-free and WhiteRussian repositories to add new applications and utilities to PacketProtector. Asterisk is included among those applications. With the ability to access an external USB hard drive, it might make more sense for me to try to run Asterisk on the router than it did when the only storage medium available to me was the router's internal flash drive.

PacketProtector.Org is an example of all the things that are good about open source and free software. Standing on the shoulders of those who came before them, including OpenWRT, OpenVPN, Dan's Guardian, ClamAV, and others, the project has been able to modify the original project's scope and focus to better scratch its own itch. That's also good for those who want its functionality pre-installed and ready to run.

Categories:

  • Reviews
  • Security
  • Networking
Click Here!