Snort on home routers - what a great idea

Snort on home routers - what a great idea

Summary: Itus Networks is building a router that has the Snort IPS built in. Why isn't everyone doing this?

SHARE:
TOPICS: Security, Networking
12
snort

Because they are willing to spend money, businesses typically get a higher level of network security than consumers. The typical home broadband setup has a simple router, perhaps with integrated wi-fi, and then it's up to the client systems to protect themselves.

One of the standard items you'll find protecting the network of any medium-size or large organization is an IPS (Intrusion Prevention System). This is a device — in fact its software, often running on a dedicated device — that monitors traffic going in and out of the network, looking for the "signatures" of certain known attacks.

Many of the big networking companies like Cisco and Juniper sell these products. As new attacks are detected on the internet, engineers write signatures for IPS products so that they can detect the attacks. It's something like malware and anti-malware scanners.

There is an excellent, free and open source IPS called Snort. It was written in 1998 by Martin Roesch, who founded Sourcefire to make commercial products based on Snort. Sourcefire is now owned by Cisco. But Snort is still a top-notch and famous open source product with an active community.

When Jock Breitwieser and Daniel Ayoub founded Itus Networks they were surprised to find that nobody had thought to integrate Snort into a home router. So that's what they did: they made the iGuardian.

When they told me about it I had the same thoughts they did: What a great and, in retrospect, obvious idea! Why isn't everyone doing this?

Well, they're not, but the iGuardian does. So to the iGuardian itself: Itus is launching it through a Kickstarter campaign and priced the unit at $149 for now. The eventual retail price is listed as $179. As I write this they have 305 backers, pledging $44,711 of their $125,000 goal with 27 days to go. Depending on what you pledge you can get a thank you all the way up to multiple units, early access to beta ROMs, an iGuardian hoodie and more.

The device is not a router as such, but a simple pass-through unit that can operate at either level 2 or 3. At level 2 you would place it between your internet entry point (such as the Ethernet out of your cable modem) and your router. At level 3 you could configure it as a router itself. See an image of the prototype below.

iGuardian
iGuardian Prototype 5.25"l x 1.5"h x 1.75"w

For the consumer market the level 2 configuration is the right one as it is completely set-it-and-forget-it. If it's working correctly you won't know it's there. (Of course, if it's not working you might also not know it's there, but there are ways of dealing with that.)

The first, and main barrier to entry for Itus is convincing consumers to pay $179 for a box that silently makes their network more secure and which they otherwise shouldn't notice. I have to think that this isn't going to be an easy sell. IT people who understand the value of Snort would be a comparatively easy sell, and perhaps many will be sold to consumers who know a techie that tells them they need this thing.

A little box like this isn't going to do everything that a business-grade product costing many thousands of dollars does. For instance, it can't check encrypted traffic. At the cost of a certificate and some management complexity, a more capable device can proxy TLS/SSL traffic and monitor it too. The iGuardian has neither the capability nor the horsepower to do so, but even if it did, the configuration would likely be too much for consumers. But's only the first generation— perhaps these problems can be solved in later versions.

It has other problems in the home market, but the main one I think is the rise of integrated endpoint routers from ISPs. I'm a Verizon FIOS customer, and the router Verizon provides, a custom job by Actiontec, takes its internet signal from a coax cable that comes from the Verizon ONT (Optical Network Terminator). This prevents me from putting anything at level 2. I happen to know that there is an Ethernet interface on the ONT and it's possible to drill another hole in my house, move some wires around and solve the level 2 problem, but I don't expect many consumers to do this. I understand some cable modem companies do the same.

It's a real shame because Snort at the home internet connection is a great idea. I wish them success, but I think Snort will only come to home networks when it comes on something people already have to buy, like their wi-fi router. Perhaps the ISPs should look at iGuardian as the sort of thing they should be providing to their customers. It would save the ISPs and their customers a lot of trouble.

Topics: Security, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Why it will never happen.

    First, it could easily, as most consumer routers have the ability to handle the extra software of the basic version you describe. But it will not happen, and it is for a surprising reason.

    It's the "air bag dilemma". Car companies put safety equipment like airbags in cars on the premise (and government mandate in most cases) that in 99% of accidents they will at least help in preventing injuries or death. Sounds good, and you would think that the fact that they are FORCED to do so would shield them from liability. But NO!

    Accident happens, someone ends up with something that looks really sympathetic to a jury, hires a P.I. lawyer and pulls the slot machine handle. Nothing, even the government mandate, test results, anything prevents them from cashing in. One fallacy of our current tort system is it is really not "innocent" and "guilty" or "liable" and "not liable", it is simply who plays the best game in front of either an overworked judge or a bunch of people who honestly would rather be doing ANYTHING (well, almost anything) else but be there.

    Would be the same here. Someone buys a "super-secure router" with "protection from incoming threats" plastered all over the box. Then they get hacked (probably because now that they had the fancy-super-duper new router they went back to their porn-surfing ways) and, just like the one who thinks the 16 airbags and five extra belts and all makes it possible to turn the interstate into the Indy 500, the inevitable happens. Then off to court they go. And even worse, so the lawyer can make more money (screw the one who got "hurt" by their own stupidity) they get it declared a "class" so EVERYONE who bought the router is in it.

    In the end, the router manufacturer determines (with the help of their own lawyers) it is safer for them just to stay out of it. Sad.
    jwspicer
  • jwspicer: "protection from incoming threats"

    Why hasn't a security-related class action lawsuit happened already, then? Most routers include firewalls that provide "protection from incoming threats". Linux-based firewalls use iptables and FreeBSD-based firewalls use pf, both with default rules provided by the router manufacturer.

    There have been class action lawsuits against both Belkin and Netgear, as examples, but neither were related to security fails.

    The biggest security problems with routers, especially for consumers, are password- and update-related. Many users either don't change the default router password or use a poorly crafted password if they do change it. And, more often than not, router firmware updates are not applied by the user.

    P.S. I like the idea of Snort being built into a router in addition to a firewall. Especially if the manufacturer provides an easy way to update to the initial rules.
    Rabid Howler Monkey
    • +1 ISP

      "I like the idea of Snort being built into a router in addition to a firewall. Especially if the manufacturer provides an easy way to update to the initial rules."

      The ISP is in the ideal position to implement that part of things - it would be trivial to push updates down to devices over a secure encrypted connection.

      The problem I see is that most home users know so little about security they aren't even aware when they get hacked, and plenty operate machines for years with malware or even viruses resident on their systems. Enterprise know the risks and implement systems because they employ security experts with deep understanding of this stuff, but your average consumer? Surely that's what their antivirus is for, right?

      I also don't see ISPs taking to this easily for the same reason they don't run these systems in their networks *before* traffic reaches their customers.
      TrevorX
      • Home Insecurity

        @TrevorX : I couldn't have said it better: "...most home users know so little about security they aren't even aware when they get hacked..."

        This is a good argument for ISPs to take on this responsibility, but what is the "the same reason [ISPs] don't run these systems in their networks *before* traffic reaches their customers"? The only reason that I can think of is "what's in it for them?" Perhaps Comcast could use snort as yet another excuse to raise their rates.
        S_Deemer
    • If you like the idea

      Then you could get a router and put OpenWrt on it (check hardware compatibility first). You can run snort on it.

      I've found the Linux-based router distros like OpenWrt are far superior to the generally crummy factory firmware options from the usual suspects like D-Link, NetGear, etc.
      TehBlahb
  • pfSense

    This sounds like a hardware version of pfSense, which can do routing, IPS/IDS, http caching proxy, and more. I'm all for it, but the average consumer isn't going to buy it for Layer 2 security. The average consumer will only be convinced if he can buy it instead of another wireless router.
    technojoe
  • Coax Snort

    Is there any reason that a coaxial cable version wouldn't be implementable, for those home users (like myself) who don't have access to level 2 in CAT5? Unless what's passing through the coax is hugely different from the IP packets passing through the CAT5, I don't see why it wouldn't be doable.
    rocket ride
  • They must be kidding!

    I wouldn't even begin to pay $149, let alone $179. I might think about $79, but not for long. $49 is getting close to acceptable, but I probably wouldn't go there either. Why not refrain from the typical new product attempt to gouge the consumer for a change, and make it more like $19.95? Then I might seriously consider it.
    elffuts
    • Then you're not the target market for it

      Stuff costs $$$$. You may feel it should be $19.95 but consumers are happy to splurge $150.00 on a box that they plug in and get magic internet from it through the air.

      At this point we've no idea as to how much this thing costs to build, but I'm thinking it's more that $19.95. Granted I don't know, but then, neither do you... Just because you set an arbitrarily low price doesn't make it right.

      If the right marketing is behind it I think that it'll do well in the $129.99 and upwards range. Who knows, with the right marketing this lil' pig may find its way into your house before you realize it...
      Lost In Clouds of Data
      • You may be right...

        I agree; I have no idea how much it might cost to make it. But it looks like a cheap hack job in the photo. I hope that's just a hand-made prototype for initial concept testing purposes. If you want to spend over $100 for it, I won't care. But, I'll spend my money elsewhere.
        elffuts
  • HTTPS?

    A lot of money to pay for a box that one doesn't seem to give any indication it's working or not.

    I have a FF addon that tries for HTTPS connections whenever possible. Does it check HTTPS traffic or is that considered "encrypted"?
    MostlyH
  • HTTPS!

    SNORT will just break HTTPS traffic and we're back at square one. SSL saves everybody from snooping, at least against MITM attacks.
    Martmarty