PIA spoke with Daniil Baturin, Co-Founder and Lead Architect at VyOS, about network security, the cybersecurity benefits of open-source software, and he gave some tips on securing your home or work router.
Daniil Baturin: The fun part is that VyOS isn’t really new: it’s a fork of an older project named Vyatta Core. Vyatta inc. was a US-based startup. I was its user, then a contributor, then an employee, and finally a former employee who left it to make a fork. Originally, Vyatta used an open core model: open-source and
freely-available Vyatta Core and Vyatta Subscription Edition with proprietary addons. In its last months before getting acquired by Brocade, Vyatta inc. quietly discontinued the open-source version, deleted the “Hackers” section of the forum with all its content (including a lot of community-made patches they never merged), and finally took down the git repo server with its source code.
I used Vyatta for my own home router and my lab, and so did many of my friends from the community, and I couldn’t imagine it just going away, so together with other community members we took the last public source code and picked it up where Vyatta inc. left it. That’s where the letters “Vy” come from in VyOS.
What was special about VyOS that other projects didn’t have was its support for a wide range of use cases, from small office (web proxy, DNS forwarding) to enterprise and service provider (dynamic routing), its excellent CLI with system-wide config validation, and its open-source license and extensibility.
We are taking that vision to new heights. Our slogan is “the universal router,” and we intentionally focus on under-served audiences: for example, we support all major cloud platforms and hypervisors while proprietary alternatives usually focus on the largest ones. We were one of the first to support WireGuard and still one of the few who support site-to-site OpenVPN as a first-class entity.
Most importantly, VyOS is not only open-source in the sense that people can download its source —- our build scripts are public and easy to use, our APIs for adding new features to the config/CLI are public and stable, and we accept contributions from the community. We are building a network OS we want to use ourselves.
DB: It depends on the definition of “working with”. Most of our LTS release users — our paying customers — are businesses. Our business model is charging for access to prebuilt LTS images and for support, much like that of RedHat, and that’s geared towards corporate users.
There are many individuals who use VyOS — network geeks who run it on home routers or build home labs, or people who study networking. They either use the rolling release, or they can get LTS images for free if they are contributing to VyOS, or for a small donation on OpenCollective. VyOS, a network OS platform, is our main and, as of now, the only product. Most customers like it for its flexibility and wide range of features that allow them to use it in multiple different roles. However, it’s our unique feature that it’s possible to use VyOS as a foundation for custom solutions and adapt it to custom hardware or environment or integrate new components into it as if they were always a part of it. That’s less popular yet, but we think there will be more companies who want to use VyOS that way in the future.
We also plan to introduce additional software to help people manage large networks based on VyOS and other network devices.
DB: We were at the forefront, if not to say at the frontier of remote work and distributed teams from the start, simply because all community members who eventually joined the VyOS company were already all in different places. The way we access networks hasn’t really changed since we never had a classic network with a well-defined perimeter. When there’s no sharply-drawn line between “inside” and “outside”, it’s hard to have an illusion that protecting the perimeter is all you need. All networks always needed a comprehensive approach, it’s just that only in recent years it became impossible to do things the old way.
DB: At the very least, you can personally verify that there are no intentional backdoors. It’s more complex with vulnerabilities, of course — if being open-source was enough, bugs like Heartbleed or Log4Shell couldn’t have happened. Still, cases of intentional backdoors discovered in proprietary software are much more common.
But being able to modify the software and build from source is even more important in the long run. With open-source software it’s possible to make an in-house fix or apply a patch without waiting for the vendor to provide official release binaries. It’s also possible to fork a project and take over its development if the original vendor abandons it, as happened with VyOS. A fork is a last resort option, of course, but it’s important that there’s a path forward even in the worst case.
DB: Aren’t they already? Well, maybe not as widespread as they should be. It’s important to remember that it’s just one part of the solution and that “I have a VPN tunnel on” isn’t a guarantee of either privacy or security. It’s also important to understand what exact threats you are trying to prevent. For example, split tunneling is a big advantage for performance and bandwidth saving, but it can be a serious weakness if attackers are actually listening to all your traffic. A laptop that is using DNS servers issued by a rogue router is also vulnerable to more threats — if an attacker can deceive you into sending traffic to a malicious server, it doesn’t help that the connection to that server is secure. VPN is a great tool, but like every tool, it should be used correctly and as a part of a comprehensive security approach.
DB: The usual suspects aren’t going anywhere! Many people still think their routers aren’t attractive targets unless they are prominent enough to receive a targeted attack on your home network. In reality, they are very valuable assets for botnet operators and also good entry points for automated attacks on even more valuable targets inside the network. Another reason to target a router is that end users rarely interact with them and the internals are often intentionally hidden behind a web UI, so it’s much harder to spot a compromised router than a compromised PC, so one may discover that attackers have been intercepting their traffic and stealing their data for months or even years already.
But since a personal router is usually is a standalone device, attackers are limited to classic vectors: remotely exploitable vulnerabilities, credential theft, and password guessing. Protection against them is also common wisdom: keep your software up to date, use strong and unique passwords or other authentication methods, and make brute force attacks harder by traffic filtering or rate limiting.
Unfortunately, the software update part is often easier said than done. Enterprise routers have a long life cycle and receive updates for years or even decades, but consumer routers are still treated like throwaway devices — many companies never release any updates, and there were many cases when sloppy programming created unintentional backdoors. Even if vendors do make updates, they rarely do a good job communicating it to users: where to get those updates, how to apply them, and why they are important. On top of that, many ISPs still prevent people from using their own routers and millions of home routers become e- waste when people switch ISPs.
Now that hardware is getting much more expensive, we believe that a sustainable and secure approach will be the only economically feasible one and home routers will become long-lived devices, chosen and controlled by customers. It still will be important to educate customers about network security, but at least they will have means to follow recommendations, while now they are often at the mercy of router manufacturers and ISPs.
Leave a Reply
Your email address will not be published.
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…