NethSecurity Alpha 1 is ready 🛡

giacomo · November 6, 2023, 1:02pm

I know this usage scenario but I do not think that NethSecurity is a good candidate for being an ISP firewall.

Absolutely yes, this could be a common scenario. But usually the administrator want the authentication integrated with AD systems, and this configuration has some major security drawbacks.
If someone is interested, check out this: [OpenWrt Wiki] Introduction to 802.1X

By the way, if you want to explore such scenarios, you can install packages directly from OpenWrt repositories: Package repositories | NethSecurity
We can start as we did with NS7: just create an howto, if many users will use it, we can convert it in a official module.

Andy_Wismer · November 6, 2023, 2:48pm

AFAIK, it’s a well known security “Gotcha”, yet due to the ubiquitness of Windows Systems in large Enterprises, it’s still comonnonly used, networks are specially secured against external access by other methods. PEAP-MSCHAPv2 is still one of the most common, and is - under RADIUS only protected with TLS, and only if configured correctly. Nowadays, just not enough, and MSCHAP, even if “v2” is still to much “in the clear”. But it does work reliably!

MS-ID is not well implemented yet for OpenSource RADIUS, AFAIK.
see also

### RADIUS authentication with Microsoft Entra ID

And, yes, for all those asking, RADIUS as a project for Authentification is written All Caps…
The Name comes from:
Remote Access Dial In User Service
and it did actually start out as an alternative to MS “Remote Access” Dial-In.

Long time ago, before 2000!

My 2 cents
Andy

A commercial (not neutral), but still good, understandable write up about RADIUS with a lot of valluable Infos…

also this:

oneitonitram · November 7, 2023, 12:20pm

if this is a viable solution to solving and implementing RADIUS then am all in, and would be great generally for community users.

ALso i think would add alot mor evalue because OWT has many modules already available on its firewall.

ssabbath · November 8, 2023, 2:01pm

Is that real? NS8 now will have a firewall? HOTSPOT?!

Thats too good to be true…

How much will this cost? LOL!

ssabbath · November 8, 2023, 2:02pm

Thats also true, i miss RADIUS.

giacomo · November 8, 2023, 2:38pm

NS8 has a built, very simple firewall just to open and close ports of services. NethSecurity is the spin-off of NethServer 7: it contains the UTM firewall part .

Yes, the same of NS7.

It’s free, if you want to setup your own instance Install Dedalo Hotspot with Icaro on local servers

ssabbath · November 8, 2023, 2:53pm

Oh, now i see, nethsecurity is another product.

Good stuff!

alefattorini · November 9, 2023, 10:59am

I think we should clarify this. NethSecurity is not a NethServer 8 module!
It’s another product, “spin-off” looks fun and correct
We don’t miss the UTM part of NS7 thanks to it.
Maybe it’s gonna be an opensense alternative @Andy_Wismer

pike · November 9, 2023, 1:29pm

You consider OpenWRT a consistent competitor for OPNSense, Alessio?

alefattorini · November 10, 2023, 9:37am

Nope, but NethSecurity 8 will be soon.

LayLow · November 10, 2023, 9:48am

NethSecurity 1.0

pike · November 10, 2023, 11:45am

NethSecurity 1.x was IpCop based. Long dead.

Let’s see… if this will survive the claimings.

LayLow · November 10, 2023, 12:03pm

So what is the official versioning schematics then please?

boukej · November 14, 2023, 7:26pm

The default root password is burried in the docs: Nethesis,1234

pike · November 15, 2023, 2:32pm

The same of all other projects.

stojovski · November 15, 2023, 4:10pm

Great, will there be some kind of Linux Installation, for testing purposes in VirtualBox?

vesalius · November 17, 2023, 3:25pm

Following this with interest. Currently evaluating a couple VyOS VM’s for potential OPNsense replacement, for combo home and homeoffice router/firewall replacement. Use multiwan (failover for the homeoffice vlan and load balancing for the home network), adguard home and currently use WireGuard (road warrior home network access). Would this product also adopt OpenWRT’s option to use cake for qos and how about WireGuard?

Evaluating Linux based options for better integration as Proxmox VM’s and more efficient/faster networking using VirtIO network adapters above 1g.

giacomo · November 20, 2023, 8:11am

The answer is yes for the first question.
About the second one, wireguard is already present, but for now you have to configure it using the cli.
In the future we have plan to expose it from the UI.

carsten · December 5, 2023, 6:51am

Is something like Suricata to block hacking attacks and security breaches included also?

filippo_carletti · December 5, 2023, 9:35am

Not in this release. We did some tests with both snort and suricata, but we’re still not fully satisfied with the results. But work is still ongoing.
Threat shield is effective in blocking attacks.
And Netify can generate security alerts.