WEBVTT

00:00.000 --> 00:15.000
So, it's just meant to be for a two minutes. And in pretty bit of a time, it's meant to explain why you should, you should maybe, or should not try a securing a network of OpenBestie.

00:15.000 --> 00:25.000
So, so it's just a disclaimer. I'm from UK and therefore I've only really got a, where it's meant to do this for UK R-S-B's.

00:25.000 --> 00:34.000
I-S-B's assign addresses differently. This is also not an in-depth guide. There's only 20 minutes. I can't go through all the specifics of a networking for it.

00:34.000 --> 00:43.000
And networking is personal, each person's network is different. So, you will need to adapt whatever configuration I would have provided if I had time.

00:43.000 --> 00:51.000
As I said, there was a get at the end of, I'll have a QR code at the end of the talk. And, in fact, it was to go to the GitHub.

00:51.000 --> 00:58.000
I was meant to upload example configs to play with, so that it's easier to get into.

00:58.000 --> 01:09.000
But I didn't get time to push these before the talk, and I'll do that by Monday. So, if you hold on to the link by Monday, it should be up there and you'll be able to play with them.

01:10.000 --> 01:23.000
So, why would you want to use open business on the router? Well, firstly, ISB routers include, in every time I refer to ISB routers in the talk, I also include off-the-shelf routers, so TP link, et cetera.

01:24.000 --> 01:35.000
They run, provide your versions of Linux, and the main issue is this, is that they go end of life quickly, and they do not get reliable security patches.

01:35.000 --> 01:46.000
Often, even your network open to attackers, and it also they limit how much control you actually have a view in network.

01:46.000 --> 01:54.000
So, for those who really care about having the freedom to configure their network, this is one way of doing so.

01:54.000 --> 02:05.000
So, the benefits of using open business for routing, firstly, it's free and open source under ISC, and it's from a specific license, so it's business friendly basically.

02:05.000 --> 02:18.000
So, the security patches are very quickly, and we apply this patch, and which handles all of the patching of the system for you.

02:18.000 --> 02:29.000
You've got full control of your network and BSD. You've also got access to additional features such as Blands, which most consumer hardware would limit you access to.

02:29.000 --> 02:41.000
Often, you need to buy business grade hardware for this, and even though consumer hardware could technically do it, it's software limited, because of the proprietary operations system.

02:41.000 --> 02:54.000
Using open business general purpose, so not only can it route your traffic for your network, but you can also add additional functions to it, so you can technically have it as a basic file server as well.

02:54.000 --> 03:08.000
All of what I like to do is use unbound and verify the SNS second, to stop a DNS moving, or manage middle attacks, because DNS is only encrypted.

03:08.000 --> 03:23.000
The security patch is come directly from upstream, so with Linux based images, you would have the security patch pushed to Linux, and then you would rely on the OEM to

03:23.000 --> 03:34.000
actually ship that security patch, which in the case of most embedded routers, you very rarely get anything but critical security patches.

03:34.000 --> 03:47.000
All of your utilities needed for a small medium-sized network is within your BSD base, so you very rarely need to add any additional software from the ports.

03:48.000 --> 04:03.000
And the benefits of using open business over Linux is that the base is one complete system, so you don't have to worry about updating packages, this patch will do everything for you.

04:03.000 --> 04:12.000
The downside of using open business for router is that the current file system does not journal.

04:12.000 --> 04:19.000
Be sure if a lot of people use to unplug in their routers from the switch or directly without actually powering them off.

04:19.000 --> 04:27.000
If you do this to an open BSD router, FSCheck will fail, and this can cause file system production.

04:27.000 --> 04:42.000
This can be solved by using a UPS, but it is a hefty drawback. Hardware support isn't as wide as Linux, so you do have to be careful about what hardware you try to use it on.

04:42.000 --> 04:50.000
And the network stack is not to performance for BSD, and it can be some hefty bottlenecks.

04:50.000 --> 05:01.000
So if performance is important, you may want to use an operating system such as PSM or use for your BSD instead.

05:02.000 --> 05:14.000
So why not open the BRT? Well, it is used for embedded hardware, and this means that there is very limited set of hardware.

05:14.000 --> 05:19.000
There is a big table of what is hardware, but each embedded hardware has to be supported separately.

05:19.000 --> 05:26.000
With Open BSD, any general purpose machine can be used as router provided by it has enough Ethernet ports for your network.

05:26.000 --> 05:32.000
So it can run on most computers, and any old laptop will probably suffice.

05:32.000 --> 05:43.000
Well, not the F-sense, but there is not really many reasons other than the fact that you can do it all over the CLI via SSH, and that it can be as distinctly cooler.

05:43.000 --> 05:48.000
So for the hardware requirements of it, you can use any old hardware.

05:48.000 --> 05:54.000
So if you got something lying around, instead from it in the bin, you can turn it into a more secure router for your network.

05:55.000 --> 05:58.000
But you need to ensure that you have two Ethernet ports.

05:58.000 --> 06:03.000
Most devices will not have this, so a cheeky way around it is using USB-Nix.

06:03.000 --> 06:11.000
The performance isn't amazing, but it allows you to have use any hardware you wish.

06:11.000 --> 06:21.000
You will preferably want it to have a low power consumption, because this will have to run 247, and if you are using a big desktop, which draws up the power,

06:21.000 --> 06:25.000
then it will probably cut the bank.

06:25.000 --> 06:32.000
You probably also want a network switch to connect more devices, because your team of hardware isn't designed for having lots of Ethernet ports,

06:32.000 --> 06:38.000
but you can add network interface cards in order to increase it.

06:38.000 --> 06:49.000
A managed switch could be useful, because you can do a routing on a stick, where you use a VLAN trunk on your LAN interface,

06:49.000 --> 06:54.000
to then separate off multiple networks, virtually.

06:54.000 --> 07:01.000
The software requirements for it is to mimic a ISP-nice-off-the-shoff router.

07:01.000 --> 07:07.000
You will need HTTP, unless you want to configure it every device yourself.

07:07.000 --> 07:12.000
HTTP-D is included in an OpenBSD base, so you don't have to install anything further.

07:13.000 --> 07:24.000
You need a firewall, mainly just for that, and blocking incoming packets to the network, because by default you should.

07:24.000 --> 07:35.000
PFS-OpenBSD native firewall, and it's very powerful, and very easy to use for people who haven't done, who are not experiencing firewalling.

07:35.000 --> 07:43.000
You optionally can add for cursive DNS using an unbound, which I explained that I do myself earlier.

07:43.000 --> 07:52.000
The benefit of this is you don't actually rely on any upstream recursive DNS server, but also allows you to validate the NSEC.

07:52.000 --> 08:00.000
If I could be six, you want Slack, which you need a RAD, which is also included in the base.

08:00.000 --> 08:03.000
So, how do we actually do this?

08:03.000 --> 08:10.000
For a very basic network, you only need two interfaces, one for one, which you will connect to whatever your ISP provides,

08:10.000 --> 08:14.000
whoever that's a modem, or an O&T.

08:14.000 --> 08:22.000
This is where it differs on setup, because some ISP can use PPRE, and some may use a DHCP.

08:22.000 --> 08:29.000
If this person to your network and has to be changed accordingly, for LAN, you pick a range from RAC for 1918,

08:29.000 --> 08:35.000
which is any private IP range.

08:35.000 --> 08:50.000
You want to run H2BD on your LAN to allocate the addresses, and if you are using IPB6, you want RAD on your LAN to advertise the IPB6 block.

08:50.000 --> 09:01.000
So, as for basis of firewalling for, you want to block everything where default, and that is default to most firewalls.

09:01.000 --> 09:09.000
You will need, unless you've got an abundance of IPB4 addresses, you will need to map.

09:09.000 --> 09:13.000
You can block in margin packets.

09:13.000 --> 09:22.000
So, private IP addresses come in and around is not 100% quiet, because the ISP should never pass you it, but it is good practice to do so.

09:22.000 --> 09:30.000
And optionally, you can block in a block packet coming in from known spammer's users' families.

09:30.000 --> 09:35.000
And that's pretty much it.

09:35.000 --> 09:41.000
So, once you have a solid foundation, you can build on an open base a lot.

09:41.000 --> 09:49.000
So, firstly, you want to track your configuration in a VCS, such as Git, so that any change you make to your configs can be tracked.

09:49.000 --> 09:53.000
And also, so that you can eat your cover from a failure.

09:53.000 --> 09:56.000
You can choose more networks, this is what I referenced earlier.

09:56.000 --> 10:01.000
I've been learning, allowing you to separate multiple networks and keeping them separate from one another.

10:01.000 --> 10:12.000
So, for example, if you've got a business, you might want to separate off your Wi-Fi from your servers to prevent, talk between the two networks.

10:12.000 --> 10:18.000
You could set up redundant interconnections, you can do this by a PF sync.

10:18.000 --> 10:30.000
And another useful thing is to set up as a VPN tunnel to your network, allowing you to administrative remotely without having to forward any ports.

10:30.000 --> 10:38.000
As for Wi-Fi, Wi-Fi support an open BSD is already limiting, and then host a P support for open BSD is even more limiting.

10:38.000 --> 10:45.000
So, your struggle to find any hardware, which actually will be able to access an Wi-Fi AP.

10:45.000 --> 10:57.000
And that for further issues, consumer hardware has really weak antennas, which potentially would cause a rather bad performance.

10:57.000 --> 11:08.000
However, there was discussions on this on IRC, and there could potentially be a future to open how to actually do Wi-Fi APs on open BSD well.

11:08.000 --> 11:18.000
So, as for now, recommendations which I would use for Wi-Fi would be using in terms of Wi-Fi AP, because it is designed specifically for this purpose.

11:18.000 --> 11:24.000
And you can open a WRT for it, and this is only for the Wi-Fi AP section, so your router will still be open BSD.

11:25.000 --> 11:31.000
You would want to prefer to separate off your Wi-Fi from other networks using Vigning.

11:31.000 --> 11:46.000
WPA is weak, WPA free is somewhat secure, but overlaying with a VPN such as Wi-Guard, allows you to be more sure on a more secure, a bit more, yeah.

11:46.000 --> 11:56.000
If possible, you probably still want to be safe in that, it's faster, it's more reliable, and it's more secure, and it's one thing which is still good.

11:57.000 --> 12:03.000
Further reading on this, so Book of P.F. is a great book for learning how to firewall on Open BSD.

12:03.000 --> 12:09.000
Absolutely at Open BSD is a good book to learn Open BSD fundamentals.

12:09.000 --> 12:11.000
The man pages for PF.com.

12:11.000 --> 12:25.000
Hello soon for AF, DHBD.com, and I'm bound and right, we'll allow you to configure that work, and at the bottom is linked to Open BSD's upstream FAQs on P.F.

12:25.000 --> 12:30.000
and DHBD have a guide on how to do a very basic Open BSD router.

12:30.000 --> 12:32.000
Thank you.