OPNsense vs Google Wifi security

DeletedUser404

OPNsense and OpenWRT are commonly recommended for private router setups, but I'm not sure they're the most secure options. Comparing the two, I assume OPNsense would be more secure because it isn't held back by the Linux kernel. Still, they don't have security as great as mobile OSs.

Google Wifi is built on ChromeOS, which has way stronger security than FreeBSD, GNU/Linux, or any other router OS I've heard of. Would that be the most secure router option?

I know it sends more data to Google by default, but I can just use a VPN. Even if the FOSS routers have built-in VPN features, the Android VPN killswitch can be just as powerful AFAIK.

There's this article that has some criticisms about Google Wifi products

First, you are stuck with the 192.168.86.x subnet. Second, UPnP is enabled by default. NOTE: At the end of November 2017, an update was supposed to let you change the LAN subnet and the IP address of the router. I have yet to look into this.

But these issues are both solvable; I can just disable UPnP, and I may be able to change the LAN subnet

Sigismund

DeletedUser404 Still, they don't have security as great as mobile OSs.

You're doing it wrong. Your composting apples to oranges, that's one thing and two they serve different purposes and there are different expectations from user when it comes to securing the system.

There's no better option for regular users that would be free.

n3t_admin

uhm buddy? ChromeOS IS Linux! And here is the kernel.
No idea where you got the idea that ChromeOS is its own thing honestly.
That said, I think Google/Nest WiFi is gonna be held back not by the kernel, but the OS features. OPNSense is an advanced firewall software that lets you fine tune and segment your network while Google/Nest WiFi is some of the most limited router software I have ever seen. No VLANs, no subnetting, no firewall, no IDS, no CrowdSec... it's really bad. From my point of view, these two don't even play in the same ball park. I'd say the only thing the Google has going for it, is the simplicity (which can reduce attack surface), but everything else speaks against it.

DeletedUser404

n3t_admin No idea where you got the idea that ChromeOS is its own thing honestly

https://discuss.grapheneos.org/d/46-chromeos-privacy/2

ChromeOS is a distribution of Linux, but doesn't use the same traditional software stack. It has a security model similar to what you'd find on Android, and was in fact one of the first publicly available operating systems to push verified boot. The sandboxing model means that third-party software can't do as much damage should they be invasive or malicious. In that sense, ChromeOS is much more private than traditional Linux distributions.

https://xcancel.com/GrapheneOS/status/1923965961658372397#m

Traditional Linux distributions have poor privacy and security. They lack proper app sandboxing and other app privacy/security, lack isolation throughout the OS, are nearly all memory unsafe languages and lack modern exploit protections

QubesOS, macOS and ChromeOS are the most secure options for desktop OSes with different advantages.

ChromeOS is the closest to providing mobile style app sandboxing, exploit protection, etc. and is more secure than macOS overall, but it's focused on using Google services

n3t_admin No VLANs, no subnetting, no firewall, no IDS, no CrowdSec... it's really bad

What about if I used OPNsense as a firewall and Google Wifi as another router? Would that combine the security benefits of Google Wifi's ChromeOS sandboxing and OPNsense's firewalling?

n3t_admin

DeletedUser404 the same traditional software stack. It has a security model similar to what you'd find on Android

"The same traditional security model" doesn't really apply to network gear. Vastly different threat model compared to a desktop OS. I don't see any advantages of "based on ChromeOS based on Linux kernel" here anyway.

DeletedUser404 What about if I used OPNsense as a firewall and Google Wifi as another router? Would that combine the security benefits of Google Wifi's ChromeOS sandboxing and OPNsense's firewalling?

No, it would probably do the opposite. How do you know that Google WiFi is "secure"?
What are you even trying to achieve? Network security is a pretty complex topic, ranging from WPA/authentication, to VLANs, to physical 802.1x. There's really a lot and Google WiFi really covers nothing of that.
I think you first need to explain which specific threats OPNSense or a network OS based on Linux pose, then we can find a fix for that.

DeletedUser404

n3t_admin No, it would probably do the opposite. How do you know that Google WiFi is "secure"?

Google has a very good reputation for security, they make the Pixel phones that GrapheneOS uses

n3t_admin I think you first need to explain which specific threats OPNSense or a network OS based on Linux pose

I want to project against known and unknown security vulnerabilities (that's the goal of secureblue). I'm not very technical yet, but I would imagine that Linux's haphazard development cycle and FreeBSD's lack of security scrutiny make them more susceptible to these vulnerablilities.

DeletedUser404

Sigismund Your composting apples to oranges

The privacy and security researcher behind the Divested projects (former maintainer of DivestOS), makes hardened versions of OpenWRT firmware, and much of the hardening is pretty similar compared to hardening of desktop Linux. Kernel versions are more up to date, there are hardened parameters for the kernel, and SELinux is planned
.

This proves that kernel security and isolation within the OS are still important for network OSs

n3t_admin

DeletedUser404 so you don't actually want to secure your network, but the device running it.

In that case Google WiFi is probably a good solution.

DeletedUser404

n3t_admin it primarily shows that you haven't invested any time into understanding network security

I admitted

DeletedUser404 I'm not very technical yet

No need to be disrespectful, I do want to learn about this subject and I made this post to help clear up misconceptions I might have.

n3t_admin If you look at professional network equipment, it is often the least secure (or has a bunch of exploits regularly) because it is overloaded with features to cover all possible cases. It's a "pick one" situation.

This router security blog recommends Peplink, which apparently has both powerful features and a small amount of exploits

Sigismund

DeletedUser404 and SELinux is planned

and? I wonder how many of the people hyping selinux in silver blue and or anywhere else actually understand it's uses and in case of failure would be able to troubleshoot/fix it instead of making stupid exceptions.

DeletedUser404

n3t_admin so you don't actually want to secure your network, but the device running it.

I want to do both, I want to protect both my devices and my network from known and unknown vulnerabilities

Sigismund I wonder how many of the people hyping selinux in silver blue and or anywhere else actually understand it's uses

I'm confident that the maintainer of the Divested projects knows what they're doing. Android uses SELinux on every app, and that doesn't require troubleshooting.

n3t_admin

DeletedUser404 I want to protect both my devices and my network from known and unknown vulnerabilities

It really doesn't work like that and it primarily shows that you haven't invested any time into understanding network security. You first have to understand how a network works and what possible risks you need to protect yourself from.
You need to actually learn what DNS, DHCP, VLANs, NAT and so on do before investing in hardware.

DeletedUser404 I want to do both,

You can't have both. You require features to control the network which increases attack surface. Google WiFi is only "secure" because it barely has any features. It's a consumer product directed at the least knowledgeable people, who would gasp if they opened a standard router GUI on 192.168.1.1. It doesn't aim for network security in the slightest.

If you look at professional network equipment, it is often the least secure (or has a bunch of exploits regularly) because it is overloaded with features to cover all possible cases. It's a "pick one" situation.

DeletedUser404 I'm confident that the maintainer of the Divested projects knows what they're doing. Android uses SELinux on every app, and that doesn't require troubleshooting.

You just proved his point...

n3t_admin

DeletedUser404 This router security blog recommends Peplink, which apparently has both powerful features and a small amount of exploits

Now you have to fully read the blog!

I would also avoid any router from Google for the same basic reason - the company wants to know (and does know) so much about us. Worse, I have used Google Wi-Fi and it stinks as a router, having nothing to do with security. Keep in mind that the router sees the unique MAC address of your devices which enables assorted tracking.

and about OPNSense:

If you want something free and open source, I have heard good things about OPNsense from a trusted source. I have not used it. It is said to be easier to use than pfSense, but still, the target audience is techies. For example, you can download it and install it on many computers, but just to download it requires a bit of techie know-how as there are many different editions. I am not aware of an on-line demo of the User Interface, so it is impossible to judge if the user interface is too "techie" for you.

DeletedUser404 No need to be disrespectful, I do want to learn about this subject and I made this post to help clear up misconceptions I might have.

Fair enough, but that isn't the impression I got. Make yourself familiar with network components first. You can actually download OPNSense and run it in a VM to get a feel for it. And you can read their documentation for any questions you have. There is nothing to learn with Google WiFi really, since there's not really anything you can adjust.

DeletedUser404

n3t_admin Now you have to fully read the blog!

I have, but I don't really believe it answered my question: how significant is Google WiFi being based on ChromeOS for security? The blog doesn't mention ChromeOS's benefits, but it briefly mentions sandboxing once in a while:

This outdated version of the Linux kernel has 233 known security vulnerabilities registered in the Common Vulnerability and Exposures (CVE) database. The study did not look into whether different software services on the router run in sandboxed and constrained environments, or whether they have full privileged access to the system

While he felt that Circle's filtering is best of breed, it does have some quirks and it is easier to escape a kids safe sandbox than it should be.

If these calls fail, the malware deletes itself under the assumption that it is being run in an isolated sandbox.

It seems like ChromeOS would be more protected against these kinds of threats

the company wants to know (and does know) so much about us. Worse, I have used Google Wi-Fi and it stinks as a router, having nothing to do with security. Keep in mind that the router sees the unique MAC address of your devices which enables assorted tracking.

Can't I just rotate MAC addresses and use a VPN?

n3t_admin

DeletedUser404 it answered my question

it did. You just don't understand the answer.

DeletedUser404 how significant is Google WiFi being based on ChromeOS for security?

Not at all. Zero. There is zero benefit, as I already said. You can't compare desktop OS'es with network gear software.

The blog doesn't mention ChromeOS's benefits, but it briefly mentions sandboxing once in a while:

It's good you linked this.

If these calls fail, the malware deletes itself under the assumption that it is being run in an isolated sandbox.

This is because the malware assumes it is running in a sandbox on a security researcher's virtual machine. This has nothing to do with sandboxing on a router OS.

DeletedUser404 escape a kids safe sandbox

Why would you even cite this?

This outdated version of the Linux kernel has 233 known security vulnerabilities

Now, not quoting the rest of this news snippet is dishonest. Here it is:

In his opinion that are no good consumer routers. None. He says you need to switch to more involved, complicated, and expensive enterprise-grade network equipment before you see any improvements

It seems like ChromeOS would be more protected against these kinds of threats

It absolutely wouldn't.

Can't I just rotate MAC addresses and use a VPN?

You've been fed a marketing lie about what VPNs do. The router would be connected through the VPN as well and just ping Google that VPN's IP. The same goes for MAC addresses. There is no use rotating them. The software will just report what is on your network. You would have to block all Google domains on a firewall level (which you don't have when you run consumer junk like Google WiFi), which would probably break the product anyway, in some shape or form.

Tl;dr: I really encourage you to get familiar with network components and terminology, since you're throwing around terms that have little to do with the topic.