SPR : A Secure Programmable Router
SPR lets users run security-hardened networks without restrictive draw-backs by providing adaptive micro-segmentation with flexibility.
SPR is a new type of router, designed to be immune to network attacks that enable devices to breach laterally across networks which separates it from other networking technology. SPR addresses WiFi in particular, as it typically has weak security properties that SPR corrects through robust, defense-in-depth features. It also supports
VLAN Tagging for wired devices and
Wireguard™ VPN clients.
The Network Design
The firewall drops forwarded and input packets by default. Devices are explicitly configured for communicating to the internet, accessing DNS, or intranet communications.
Device identities are established via unique wifi passphrases, VLAN tagging on wired devices, and VPN keys. This creates a high source of confidence about how traffic is routed.
Each device on the network is isolated into its own private network, and devices send traffic through the router to communicate.
How does this perform?
There is a negligible latency tradeoff when devices do not directly communicate on local networks. The router arbitrates communication between devices for better control. The verdict maps, similar to ipsets, provide scalable rules without an exponential number of firewall rules that make traditional firewall rules prohibitively slow.
Best of class WiFi features
Each device is given a unique WiFi passphrase to block traffic interception, injection, and rogue AP attacks that are otherwise possible with WiFi. Devices have unique group encryption keys and each device connects with an individual VLAN and virtual interface. SPR is also the very first project to support multiple passphrases with WPA3 on the same SSID.
What about Enterprise WiFi Security?
Among authentication suites, EAP-TLS is a recommended best practice and creates valid security properties. However, it requires installing certificates on devices which is not possible with many IOT or locked down devices, limiting the ability to harden their access. Rather than create MAC bypass holes, SPR uses the most commonly supported schemes that are universal to all wifi capable systems. Another common authentication mechanism is EAP-PEAP however this suffers from long standing MITM issues as PEAPv2 with channel binding to stop attacks was never formally adopted or fully supported by the industry; the PEAP relay attack applies after secure authentication has happened.
Zeroconf and mDNS are both prevalent and a requisite for home networking. However, these require being on the same subnet to work or a router that supports IGMP forwarding or a proxy. SPR has a userland proxy to transparently relay multicast traffic between devices and across network interfaces. The firewall supports configuration for how to use multicast
Transparent and Modifiable
SPR is built as an open source project. It is built to be developer friendly and allow iterative development without reflashing or reinstalling.
Containers make it simple to build the code from scratch or run prebuilt images. The containers split network services up by functionality and are orchestrated with APIs. SPR is built to run as a WiFi router, but it can also be launched as a standalone VPN & DNS Service within a virtualized network namespace.
Sound Software Selection
SPR is built mostly with golang and a react frontend. Where possible, memory-safe languages with good security track records are preferred over native code such as C or code that is difficult to write securely, like PHP.
The Service Listing
The following services are currently included with SPR:
- api ⇨ API for frontends and CLIs to manage connected devices, network groups, and firewall rules
- base ⇨ Networking initialization and configuration at startup
- db ⇨ Database key/value store
- dhcp ⇨ DHCP Server
- dhcp_client ⇨ DHCP Client for requesting IP addresses from uplink
- dns ⇨ DNS Service, running CoreDNS
- multicast_udp_proxy ⇨ A multicast proxy to support multicast networking for usability
- packet_logs ⇨ NFLog packet log emitter
- ppp ⇨ A Point-to-Point protocol service for authenticating and requesting IP addresses from uplink
- superd ⇨ Daemon to manage docker comms and restarting SPR
- wifid ⇨ Wifi Base Station Service, running hostapd