Security Upgrade of x86 Router for Certification Compliance 

Client 

A leading service provider of IT infrastructure and security solutions.  

Challenge 

The client approached us to test and upgrade their custom x86 network router to ensure compliance with security standards. They needed to address specific requirements and pass rigorous certification tests to obtain the necessary compliance certification. 

The network router should perform various tasks: 

• Provide a secure and encrypted connection for all traffic.  
• Block unencrypted connections.  
• Split traffic from multiple connections.  
• Work with VPN and Tor Network. 
• Change IMEI.  
• Provide a secure proxy. 
• Support residential and data-server proxy.  
• Provide fingerprint authentication.  
• Implement hardware encryption acceleration for high-speed communication. 

Solution 

To solve the client's problem, we used OPNsense, a robust firewall and open-source routing platform based on FreeBSD. OPNsense secures the network with regular weekly security updates.  

During the implementation phase, our team addressed non-compliance issues by reconfiguring software, writing scripts and developing software patches. To ensure the highest level of security, we conducted thorough testing based on IP Security (IPsec), Transport Layer Security, Domain Name System Security, Security Shell, WPA (WiFi Protected Access) and Kerberos protocols. 

The customer's network router was an x86-based, OpenWrt-compatible, and it had with the following specifications: 

• GPON port, 
• POTS port for telephone, 
• 4 LAN ports Gigabit Ethernet, 
• 1 WAN port Gigabit Ethernet, 
• WiFi 6e (5.925–7.125 GHz) 
• WiFi (2.4 GHz and 5 GHz). 

In converting this x86 router into an OPNsense router, we took the hardware features of the original device and extended it with the OPNsense platform. 

Our engineering team tested Transport Layer Security (TLS) by using the following test benches provided by our client: 

• IPsec Test Bench evaluated the implementation and functionality of IPsec protocols and components. It included testing secure communication between devices, verifying secure connections, encryption/authentication, key exchange, and resistance against known attacks. 
• TLS Test Bench assessed the implementation and behaviour of TLS protocols for secure network communication. It included tested handshake processes, secure data transmission, certificate handling, and resistance against vulnerabilities like protocol downgrades or renegotiation attacks. 
• DNSSEC Test Bench evaluated DNSSEC implementation within DNS. It included verified signing of DNS records, a chain of trust establishment, secure DNS response validation, resistance against attacks like DNS cache poisoning, and tested interoperability with DNSSEC-enabled clients. 
• Security Shell Test Bench assessed security shell implementations' functionality and security features (e.g., SSH). We tested secure remote login, file transfer, port forwarding, authentication mechanisms, encryption algorithms, and resistance against SSH attacks. 
• WPA Test Bench evaluated the implementation and security of Wi-Fi networks with WPA protocols. It included verification of secure connections, authentication mechanisms, encryption algorithms, key management procedures, and resistance against brute-force or dictionary attacks. 
• Kerberos Test Bench assessed the functionality and security of Kerberos authentication and authorization protocols. We tested ticket issuance, authentication, authorization processes, encryption algorithms, secure ticket exchange, and resistance against common Kerberos attacks. 

We also provided our client with comprehensive reports:  

1. Initial diagnostics. The report covered the compliance and non-compliance aspects of the router, highlighting the areas that need to be improved to meet the required standards.
2. An upgrade report describing the upgrade work done with entire process, specific changes and enhancements made to address the non-conformance issues identified during the initial diagnosis.
3. Test and review results. This section records the results of IPsec, TLS, DNSSEC, Security Shell, WPA, and Kerberos tests.

Business Value 

As a result, our client received a network router that complies with security standards and managed to successfully pass all the tests and receive a security certificate.  

With OPNsense, the upgraded network router uses fingerprint authentication, authorisation and encryption mechanisms. Now, the device has extra security features: VPN and Tor connectivity, changing IMEI, a secure residential and data-server proxy, and hardware encryption acceleration.