[HH] single board computers for use as a router

[Tom Metro]

I haven't surveyed the field lately to see whether any of the wealth of
low cost single board computers we've seen released in the last year or
two are well suited for use as a router.

This would mean:

-at least two Ethernet ports, if not also an integrated switch (w/VLAN
support).

-enough CPU and RAM to comfortably handle a firewall with 50+ Mbps
throughput, a web admin UI, and run intrusion detection probes.
(Consumer router hardware falls short on the last item.)

-compatibility with *BSD, which seems to be a preferred platform for
firewalls. (Again, something the consumer routers won't do.)

-it does not need to easily facilitate wireless. A separate access point
(or repurposed consumer router) can provide that.


A few years ago you could find hardware that did this (like pcengines.ch
or ubnt.com), but after case and power supply, costs were near $150, and
that was without wireless and the performance wasn't much better than an
ASUS RT-N16 consumer router. Just a bit more RAM and *BSD compatibility.
Plus, the available software was not very turn-key.

Taking another look at those traditional suppliers, it seems prices may
have come down some. Ubiquiti Networks will be releasing in June an
"EdgeRouter Lite" with case and power supply for $100:
http://www.microcom.us/erlite3.html
http://www.ubnt.com/edgemax

But it still uses a 500 MHz MIPS64 CPU (although dual-core, and
supposedly with hardware acceleration for packet processing), which is
not all that different from products from a few years back, and still
only has 512 MB of RAM.

It seems like all the high performance ARM boards we've seen come onto
the market with 1+ GHz CPUs and upwards of 1 GB RAM should give these
older designs a run for their money. More importantly, if the ARM boards
are ubiquitous, chances are good that sizable communities will form
around supporting a wide range of open source software that will run on
them.

The size of the community is quite important when it comes to open
source and security. What motivates my interest in non-consumer hardware
is the waning confidence I have in existing open source firmware for
consumer routers. The nature of their communities does not seem well
poised to deal with security (nor does it seem to be of much concern to
the users).

Projects like Tomato, which started out with lots of promise, have
forked into 3 or 4 branches, with each branch having essentially a
single developer running the show. Not only are you then dependent on
that one developer for future features, you're also dependent on them
for security fixes. It seems like too much for one person.

Compare that to Debian, where they have a big enough community that
there is a whole team that just deals with security issues. (More often
than not, security fixes in Ubuntu are simply patches passed through
from the Debian security team.)

(Then add to that the inability to properly implement intrusion
detection, without adding additional hardware, as a backup for bugs in
the security design.)

In that light, the dressed up Debian version Ubiquiti Networks is
bundling with their hardware actually sounds quite appealing. A
foundation of a distribution with a good security reputation, a turn-key
GUI layered on-top to get you setup quickly, and full command line
access to do more advanced things, like install intrusion detection probes.

How effective this is will largely come down to how good a job Ubiquiti
Networks does at passing on the security fixes from Debian. Will that be
sustainable, if you only pay them $100 every 3 to 5 years? (I don't know
what their past reputation is like.)

Is *BSD worth the additional effort? Has it been objectively proven to
be more secure? Does simply having a TCP/IP stack that is in the
minority put you in slightly better position to avoid a zero-day attack
against the kernel? (Is there a router-oriented distribution built on
*BSD with a web GUI?)

 -Tom