I would like to look at buying / building a hardware firewall to run OPNsense that supports speeds of 2.5 GB/s (or greater) - this in advance of switching to a > 1 GB/s service from my ISP.
Currently, I am using OPNsence on a box I bought on AliExpress a couple of years back but it only supports 1GB/s.
Good luck finding those! China made sure it became the manufacturer for the world by (artificially) outpricing everybody else, in particular the West. The only way to get a âChina-freeâ firewall is using an FPGA you program yourself. That is, if your situation/environment validates spending some big bucks for it
That Bloomberg article is complete BS and has been disproven on many sites.
But just to recap, letâs look at the claims of the article:
A chip the size of a grain of rice / standard SMD resistor
This chip has a CPU with enough âhorsepowerâ to have all traffic run through it on 25gb Ethernet networks without bottlenecking the network so no one gets suspicious.
The chip not only has a CPU with that much power, but it also incorporates RAM and networking components capable of interfacing with the board. All in the size of a grain of rice.
The chip also must contain code for at least a dozen typical vulnerabilities so that it can gain access on the network it is placed inside and get the stolen data out all on its own.
The chip only has 6 connection points (which means power, ground and IO for the whole thing runs through a total of 6 pins).
Apple found chips in servers they used before this
Amazon found the chips before buying the company Elemental
Now Ill bring up some points to refute the âfactsâ Bloomberg article claims to be true:
Amazon denies any knowledge of such a supply chain breach
Apple denies all claims made by the article about them
It isnt even remotely possible to do what Bloomberg claims with a chip that has only 6 pins/pads. The IO alone would require more than that
the TDP of such a chip would be so high that it would have to be cooled, you cant have a bare chip with no cooling that does anything close to what is claimed
With the process nodes available, it isnt even actually possible to design a GHz+ CPU with multiple cores, RAM, and networking IP in the physical size of this chip. It simply cannot be done.
So I ask you, how can anyone believe an article that makes claims that are not physically possible to create, links to no sources at all anywhere in the article or after it, and the supposed sources it mentions to have in the article both deny every claim that was made?
Jordan Robertson and Michael Riley of Bloomberg made up the whole thing as far as anyone can actually tell. When this article came out at first there was big panic, but then as people started looking into it more and found it to be a hoax it damaged Bloombergâs rep pretty badly.
Interestingly, for me Bloomberg has had a solid reputation for many many years.
Iâm not disputing what you say, but while I donât know much about hardware I do know about software, and with it a single line of code can redirect the process flow dramatically away from where one might otherwise want it to go. So a chip, albeit a small one, engineered in the right place and in the right way, could - I would have believed - open a back door that would otherwise not previously been thought to exist.
Regardless, Iâm not defending the article, but am just asking about alternatives.
If you got a good mil surp store nearby they can have network equipment from manufactures that are dfars compliant⌠youâd be pretty lucky if you found any 10gbe equipment there though.
As long as you stay away from huawei, inspur and lenovo gear you will most likely be fine, they have all had âincidentsâ that permanently got them on the no-no list. I think you would be fine going with HP or Dell gear, both have committed to moving atleast a portion of their manufacturing outside of china and have fairly robust security teams that arenât beholden to an eastern actor.
Sounds like the UK. We spend all our time bitching and moaning about protectionism in mainland Europe, and then pay Huawei pennies to build our entire network infrastructure, then go full surprised Pikachu when itâs compromised. We privatised whole sections of our national infrastructure so that they could be run by other countriesâ governments instead.
There are companies that have products certified for handling government data. Question is if previously NATO or EU (or any similar national standard) fulfilling hardware can be found for reasonable prices, or used at all.
When your threat model involves âgetting bugged hardware from chinaâ, then the price is probably okay. At home, I donât know man.
Prices will be higher than plastic-box consumer gear!
SOHO-tier from reputable manufacturers would put a big brand name behind your security. I think Sophos XGS-series come with basic licenses that make them fully functional for average SOHO-use though. I can see (and played myself with the idea of) getting one to familiarize oneself with a that system in a home-lab setting.
I am sure Fortinet, Cisco/Meraki, Checkpoint, etc. have similar offerings.
However: DIY Firewall from random parts with some FOSS firewall OS is probably the same learning-difficulty wise, and probably cheaper. Security that grants you, depends.
As you are looking at OPNSense, I would suggest some generic hardware that fits your performance bill - and remember that single core performance can be important at these speeds with VPNs and FW rules, so consider accordingly.
From a paranoia perspective, I would say the risk is not zero, but extremely low. Choosing anything not specifically targeted as a router will also reduce your risks even further. But put this in context - there are many ways your information leaks as it is - the apps you use, and companies leaking your details. The potential for ârogue chipsâ is probably bottom of your worry pile!
Personally, I use a Supermicro SYS-E300-9A with several bonded 10Gb connections, crowdsec, and DNS ad-block. The CPU gets up to 20% briefly on occasions. I donât really hammer a VPN at the moment, but this is still probably overkillâŚ
To add paranoia pile: Itâs the persistent uefi rootkits that one needs to worry about on hardware if you are being targeted or are target adjacent by threat actors. It wonât matter what software, open source or not, runs on top the hardware if its being subverted at a lower level than the software is aware of and it doesnât even take extra hardware to do so.
-itâs not that difficult to mitigate this though, you can dump uefi rom and compare checksums (note plural to avoid intentional collisions) against known good images from manufacturer.