Security of a home network is the main focus of project Turris. We can distinguish two types of security protection - passive and active.
The former category contains most importantly a secure operating system with automatic updates and related software. More information about the software equipment of the Turris router is available in section Software.
In the area of active security protection, the most important part is the distributed adaptive firewall described below.
Distributed adaptive firewall
Distributed adaptive firewall is made out of a set of tools, which together form a protection system capable of reacting to new security threats. It is composed of the following parts:
- collection of input data (most importantly monitoring of end devices)
- analysis of obtained data on central server
- preparation of firewall rules based on data analysis
- update of end devices
Points 1 a 4 are the most important for end users, because they deal directly with their networks.
Data collection mentioned in point 1 is described in detail in the following dedicated sections. Besides data gathered from end devices, we also use information from CSIRT.CZ and other public and specialized sources for preparation of firewall rules.
Updates of the firewall are performed using a standard automated update mechanism which is part of the system and is used for all other software packages as well.
For real-time network traffic monitoring, we created a framework called ucollect which handles all traffic on a specified network interface and uses a system of real-time loadable plug-ins for the actual monitoring.
We used this framework to implement several specialized probes which help us analyze traffic from different points of view. Amongst these are for example a statistical probe for collection of basic statistical data about the traffic, an anomaly detection probe, probe for collecting netflow data for suspicious traffic, or a probe monitoring connections which were not successfully initialized and might be sign of malware infection.
Summarized results of most probes are then uploaded to our analysis server, which performs additional processing on data obtained from all connected routers. In some cases the data is used to create publicly available global statistics.
Complete list and description of all probes running on router Turris can be found in the user documentation.
Besides real-time traffic analysis, one of the interesting sources of data is the firewall log. It shows all the unsolicited traffic coming from the outside network and can be used as a supplementary source of data for anomaly analysis. We also use it to create statistics of most often attacked services, countries of origin of attacks, etc., which are available on global statistics page, and for preparation of a greylist of suspicious addresses.