Hardware firewall made in North America / the Western World

I would like to look at buying / building a hardware firewall to run OPNsense that supports speeds of 2.5 GB/s (or greater) - this in advance of switching to a > 1 GB/s service from my ISP.

Currently, I am using OPNsence on a box I bought on AliExpress a couple of years back but it only supports 1GB/s.

In any case, I could go with the same sort of thing, but having read this article:
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

(call me paranoid but …) I’m wondering if there are any North American / Western World pre-built solutions that don’t cost an arm and a leg?

Alternatively, a DIY build detailed someplace that is made of parts manufactured in North America / Western World.

Good luck finding those! China made sure it became the manufacturer for the world by (artificially) outpricing everybody else, in particular the West. The only way to get a “China-free” firewall is using an FPGA you program yourself. That is, if your situation/environment validates spending some big bucks for it :roll_eyes:

That Bloomberg article is complete BS and has been disproven on many sites.

But just to recap, let’s look at the claims of the article:

  • A chip the size of a grain of rice / standard SMD resistor
  • This chip has a CPU with enough “horsepower” to have all traffic run through it on 25gb Ethernet networks without bottlenecking the network so no one gets suspicious.
  • The chip not only has a CPU with that much power, but it also incorporates RAM and networking components capable of interfacing with the board. All in the size of a grain of rice.
  • The chip also must contain code for at least a dozen typical vulnerabilities so that it can gain access on the network it is placed inside and get the stolen data out all on its own.
  • The chip only has 6 connection points (which means power, ground and IO for the whole thing runs through a total of 6 pins).
  • Apple found chips in servers they used before this
  • Amazon found the chips before buying the company Elemental

Now Ill bring up some points to refute the “facts” Bloomberg article claims to be true:

  • Amazon denies any knowledge of such a supply chain breach
  • Apple denies all claims made by the article about them
  • It isnt even remotely possible to do what Bloomberg claims with a chip that has only 6 pins/pads. The IO alone would require more than that
  • the TDP of such a chip would be so high that it would have to be cooled, you cant have a bare chip with no cooling that does anything close to what is claimed
  • With the process nodes available, it isnt even actually possible to design a GHz+ CPU with multiple cores, RAM, and networking IP in the physical size of this chip. It simply cannot be done.

So I ask you, how can anyone believe an article that makes claims that are not physically possible to create, links to no sources at all anywhere in the article or after it, and the supposed sources it mentions to have in the article both deny every claim that was made?

Jordan Robertson and Michael Riley of Bloomberg made up the whole thing as far as anyone can actually tell. When this article came out at first there was big panic, but then as people started looking into it more and found it to be a hoax it damaged Bloomberg’s rep pretty badly.

1 Like

Interestingly, for me Bloomberg has had a solid reputation for many many years.

I’m not disputing what you say, but while I don’t know much about hardware I do know about software, and with it a single line of code can redirect the process flow dramatically away from where one might otherwise want it to go. So a chip, albeit a small one, engineered in the right place and in the right way, could - I would have believed - open a back door that would otherwise not previously been thought to exist.

Regardless, I’m not defending the article, but am just asking about alternatives.

If you got a good mil surp store nearby they can have network equipment from manufactures that are dfars compliant… you’d be pretty lucky if you found any 10gbe equipment there though.

As long as you stay away from huawei, inspur and lenovo gear you will most likely be fine, they have all had “incidents” that permanently got them on the no-no list. I think you would be fine going with HP or Dell gear, both have committed to moving atleast a portion of their manufacturing outside of china and have fairly robust security teams that aren’t beholden to an eastern actor.

1 Like

@twin_savage thanks for the advice

Sounds like the UK. We spend all our time bitching and moaning about protectionism in mainland Europe, and then pay Huawei pennies to build our entire network infrastructure, then go full surprised Pikachu when it’s compromised. We privatised whole sections of our national infrastructure so that they could be run by other countries’ governments instead.

There are companies that have products certified for handling government data. Question is if previously NATO or EU (or any similar national standard) fulfilling hardware can be found for reasonable prices, or used at all.

R&S (Lancom) has prices public, and their smallest model (4x 1Gig) without licenses is 750€.

When your threat model involves “getting bugged hardware from china”, then the price is probably okay. At home, I don’t know man.

Prices will be higher than plastic-box consumer gear!

SOHO-tier from reputable manufacturers would put a big brand name behind your security. I think Sophos XGS-series come with basic licenses that make them fully functional for average SOHO-use though. I can see (and played myself with the idea of) getting one to familiarize oneself with a that system in a home-lab setting.
I am sure Fortinet, Cisco/Meraki, Checkpoint, etc. have similar offerings.

However: DIY Firewall from random parts with some FOSS firewall OS is probably the same learning-difficulty wise, and probably cheaper. Security that grants you, depends.

Only thing made in America is muskin ram and ssds and I think one other brand

I’m pretty sure their controllers are still Chinese

No way you’ll find something like a hardware firewall

Your oy option is to make a foss one

As you are looking at OPNSense, I would suggest some generic hardware that fits your performance bill - and remember that single core performance can be important at these speeds with VPNs and FW rules, so consider accordingly.

From a paranoia perspective, I would say the risk is not zero, but extremely low. Choosing anything not specifically targeted as a router will also reduce your risks even further. But put this in context - there are many ways your information leaks as it is - the apps you use, and companies leaking your details. The potential for “rogue chips” is probably bottom of your worry pile!

Personally, I use a Supermicro SYS-E300-9A with several bonded 10Gb connections, crowdsec, and DNS ad-block. The CPU gets up to 20% briefly on occasions. I don’t really hammer a VPN at the moment, but this is still probably overkill…

To add paranoia pile: It’s the persistent uefi rootkits that one needs to worry about on hardware if you are being targeted or are target adjacent by threat actors. It won’t matter what software, open source or not, runs on top the hardware if its being subverted at a lower level than the software is aware of and it doesn’t even take extra hardware to do so.

-it’s not that difficult to mitigate this though, you can dump uefi rom and compare checksums (note plural to avoid intentional collisions) against known good images from manufacturer.