WEBVTT 00:00.000 --> 00:15.000 So what is this all about? 00:15.000 --> 00:19.000 It's about the network area in your typical office. 00:19.000 --> 00:23.000 So it's about the switches, the routers, and the Wi-Fi access points. 00:23.000 --> 00:26.000 It's not about home networks. 00:26.000 --> 00:30.000 I think that's important to stress. 00:30.000 --> 00:37.000 And, well, given that some people may also be in a position to decide on what you do. 00:37.000 --> 00:40.000 There's a short management level overview. 00:40.000 --> 00:43.000 Then I'll go towards the technical implementation. 00:43.000 --> 00:48.000 And at the end, after the last slide, there are some arguments on why this is a good idea. 00:48.000 --> 00:55.000 In case you need to convince somebody who is allowed to decide on what you do next. 00:55.000 --> 01:00.000 So this is a classical, get to make the management intentional and having slides to convince them. 01:00.000 --> 01:03.000 Just in case you, I'm an entrepreneur. 01:03.000 --> 01:06.000 If I don't manage to convince you, well, that's my problem. 01:06.000 --> 01:15.000 So first of all, I want to celebrate how far we've come. 01:15.000 --> 01:20.000 So looking at false them, being that old, 01:20.000 --> 01:23.000 and having been there for so a long time, 01:23.000 --> 01:30.000 and then looking at what field an open source of fear has achieved in the meantime. 01:30.000 --> 01:35.000 Remembering, well, installing Linux from floppy, yes, I'm old. 01:35.000 --> 01:41.000 And now everything is just seamless and works just fine, and this is awesome. 01:41.000 --> 01:46.000 And you do not even need to sacrifice a chicken, 01:46.000 --> 01:49.000 and the moon needs to be just right. 01:49.000 --> 01:51.000 You just have sound and Linux or whatever. 01:51.000 --> 01:53.000 It's everything works just. 01:53.000 --> 01:59.000 But there are some things which are still not that you use that often. 01:59.000 --> 02:03.000 And I'm here to show you how easy it is to run a certain network infrastructure, 02:03.000 --> 02:07.000 just with an open source of fear from there. 02:07.000 --> 02:10.000 And your task, should you choose to accept it, 02:10.000 --> 02:13.000 is to copy this and enjoy. 02:14.000 --> 02:18.000 So yeah, the obligatory should love about me. 02:18.000 --> 02:19.000 I'm called Daniel Hilfinger. 02:19.000 --> 02:22.000 I work for the German Federal Office for Information Security. 02:22.000 --> 02:26.000 I'm working on operating system security for mercy security. 02:26.000 --> 02:29.000 I used to be, well, even longer. 02:29.000 --> 02:33.000 So some networks, and there it gets murky, some people say, 02:33.000 --> 02:38.000 well, for home use, you may be able to install OpenWRT or whatever. 02:39.000 --> 02:45.000 But is it enterprise ready? 02:45.000 --> 02:48.000 So a certain office network, different challenges to 02:48.000 --> 02:51.000 compare to home network. 02:51.000 --> 02:55.000 And the office network stuff needs to work reliably, 02:55.000 --> 02:57.000 or your manager will yell at you. 02:57.000 --> 02:59.000 Your colleagues will yell at you. 02:59.000 --> 03:03.000 Somebody needs to be at fault if things break down. 03:03.000 --> 03:07.000 And you know, this old saying nobody ever got fired for buying 03:07.000 --> 03:08.000 IBM. 03:08.000 --> 03:12.000 Do something similar for, yeah, well, by that network, 03:12.000 --> 03:13.000 yeah, we always bought that. 03:13.000 --> 03:17.000 If you buy the same network here again, it's okay, it will work. 03:17.000 --> 03:22.000 So I will be tried at this eye. 03:22.000 --> 03:28.000 Well, more like, hey, well, you do all that open source stuff. 03:29.000 --> 03:33.000 Maybe you want to try doing this with a Wi-Fi network. 03:33.000 --> 03:37.000 So yeah, well, but it's not my normal task doing that, 03:37.000 --> 03:40.000 let's say, yeah, well, in that case, please do it 03:40.000 --> 03:42.000 because then you have a different view on things. 03:42.000 --> 03:47.000 And I said, okay, cool. 03:47.000 --> 03:51.000 I was a bit hesitant because I was using OpenWRT at home. 03:51.000 --> 03:52.000 It worked. 03:52.000 --> 03:53.000 It was okay. 03:53.000 --> 03:57.000 And I said, yeah, about a large scale like 20, 30, 03:57.000 --> 04:02.000 40, 40, excess points, a bunch of switches, routers, etc. 04:02.000 --> 04:07.000 Not, never did something on that scale before. 04:07.000 --> 04:09.000 So I tried. 04:09.000 --> 04:12.000 And surprisingly, it works well enough, real well. 04:12.000 --> 04:17.000 So the usability is good. 04:17.000 --> 04:18.000 It's pretty good. 04:18.000 --> 04:22.000 If anybody, if you has used OpenWRT last time, maybe 10 years ago, 04:22.000 --> 04:25.000 the usability has improved a lot. 04:26.000 --> 04:27.000 Extremely, even. 04:27.000 --> 04:30.000 So it really is some part of commercial offerings. 04:30.000 --> 04:31.000 Reliability. 04:31.000 --> 04:34.000 Well, it hasn't gone down. 04:34.000 --> 04:38.000 And yet, the infrastructure, so it works. 04:38.000 --> 04:41.000 I generally have no problems. 04:41.000 --> 04:44.000 Sometimes, even forget that this stuff is running 04:44.000 --> 04:47.000 because it needs no attention, which is good 04:47.000 --> 04:49.000 from an operational point of view. 04:49.000 --> 04:50.000 The features. 04:50.000 --> 04:53.000 Yeah, well, this is a different story. 04:54.000 --> 04:56.000 You lose some, for example. 04:56.000 --> 04:59.000 Some switches have cable test functionality 04:59.000 --> 05:03.000 to find problems in your cables or whatever. 05:03.000 --> 05:07.000 On OpenWRT, which I'm using here, this feature, 05:07.000 --> 05:08.000 could in software. 05:08.000 --> 05:10.000 So you've been on that case. 05:10.000 --> 05:15.000 So overall, the choice stays on the same in the same ballpark. 05:15.000 --> 05:19.000 And I think OpenWRT really is enterprise ready. 05:19.000 --> 05:24.000 And some companies are using OpenWRT in various networks. 05:24.000 --> 05:28.000 I know of one deployment, which is in excess of 100,000 devices 05:28.000 --> 05:30.000 running OpenWRT. 05:30.000 --> 05:33.000 So you can certainly manage that stuff. 05:33.000 --> 05:34.000 It works. 05:34.000 --> 05:36.000 I'm not going to name company names. 05:36.000 --> 05:38.000 Sorry. 05:38.000 --> 05:39.000 But yeah. 05:39.000 --> 05:42.000 So what were my goals? 05:42.000 --> 05:45.000 COTS is commercial of the shelf, just in case somebody 05:45.000 --> 05:47.000 doesn't know that acronym. 05:47.000 --> 05:53.000 So making this network hardware trustworthy 05:53.000 --> 05:55.000 with very little effort. 05:55.000 --> 05:58.000 It's easy to try and ice software. 05:58.000 --> 05:59.000 Pretty much everybody can do it. 05:59.000 --> 06:01.000 YouTube tutorials out there. 06:01.000 --> 06:05.000 It's pointless even thinking that this would be difficult. 06:05.000 --> 06:08.000 However, try and ice hardware is way more difficult 06:08.000 --> 06:12.000 because then usually, if you manufacture that as part of a chip, 06:12.000 --> 06:15.000 then all the chips from that run will have the back door. 06:15.000 --> 06:19.000 And then you need to reliable way to trigger that, even if the software 06:19.000 --> 06:22.000 won't necessarily want to trigger that. 06:22.000 --> 06:25.000 Building hardware back doors is way harder, maybe too 06:25.000 --> 06:28.000 orders of magnitude harder than building a software back door. 06:28.000 --> 06:30.000 And the cost is even greater. 06:30.000 --> 06:33.000 So I'm not worried about that much. 06:33.000 --> 06:38.000 And the other goal was have all the network here in our office 06:38.000 --> 06:40.000 run trustworthy field open source software. 06:40.000 --> 06:43.000 So well, the second goal I didn't achieve because this 06:43.000 --> 06:47.000 other network here, nobody allowed me to replace the other 06:47.000 --> 06:50.000 the working enterprise stuff. 06:50.000 --> 06:54.000 But I have my own little network in various places. 06:54.000 --> 06:58.000 So definitions because we need to be honest and upfront. 06:58.000 --> 07:02.000 Easy installation does not mean open the device, 07:02.000 --> 07:04.000 so there's something down. 07:04.000 --> 07:06.000 If the one is just right, no. 07:06.000 --> 07:09.000 Easy installation means no opening the case. 07:09.000 --> 07:10.000 No soldering. 07:10.000 --> 07:12.000 Five minutes max per device. 07:12.000 --> 07:16.000 Which is otherwise really, you would probably 07:16.000 --> 07:17.000 would not do that. 07:17.000 --> 07:20.000 Easy management is not profitable anymore. 07:20.000 --> 07:22.000 That's not your problem anymore. 07:22.000 --> 07:26.000 And because we're having a free network operating system, 07:26.000 --> 07:29.000 you get updates for a long time. 07:29.000 --> 07:32.000 Have no extra cost because it's just installing software. 07:32.000 --> 07:35.000 And you do not need to do this rip in the blaze 07:35.000 --> 07:37.000 stands if you replace one vendor if another. 07:37.000 --> 07:38.000 So that's good. 07:38.000 --> 07:39.000 It's easy. 07:39.000 --> 07:40.000 It's easy. 07:40.000 --> 07:41.000 Yeah. 07:41.000 --> 07:43.000 Come from a CRA background. 07:43.000 --> 07:46.000 I'm active in cyber civilians externalization. 07:46.000 --> 07:50.000 I've seen so much stuff which I want to forget. 07:50.000 --> 07:54.000 Also looking at bugs in operating systems. 07:54.000 --> 07:55.000 Oh my. 07:55.000 --> 07:57.000 You get a complete software build of materials. 07:57.000 --> 07:59.000 You know what's running on there. 07:59.000 --> 08:00.000 That's good. 08:00.000 --> 08:04.000 It's ecological also because you do not need to fill up 08:04.000 --> 08:06.000 a way older gear. 08:07.000 --> 08:10.000 You can use it as long as it's fit for purpose. 08:10.000 --> 08:15.000 And if you're missing a feature, 08:15.000 --> 08:17.000 well, you can still pay somebody. 08:17.000 --> 08:20.000 So this was the very long management part. 08:20.000 --> 08:21.000 Too long didn't read. 08:21.000 --> 08:23.000 Replace the firmware for OpenWRT. 08:23.000 --> 08:24.000 Of your network here. 08:24.000 --> 08:25.000 It's secure in works well. 08:25.000 --> 08:26.000 Okay. 08:26.000 --> 08:28.000 And of management part. 08:28.000 --> 08:29.000 So. 08:31.000 --> 08:32.000 Thanks. 08:32.000 --> 08:33.000 So disclaimers. 08:33.000 --> 08:35.000 I need to read some disclaimers. 08:35.000 --> 08:36.000 I just do so. 08:36.000 --> 08:40.000 I mentioned one's made to emphasize this is not being used in production. 08:40.000 --> 08:41.000 Not at all. 08:41.000 --> 08:43.000 Officially it's a proof of concept. 08:43.000 --> 08:46.000 Well, it works well, but I'm yeah. 08:46.000 --> 08:48.000 Officially it's a proof of concept. 08:48.000 --> 08:54.000 And they are well, the operating system I used for this proof of concept was chosen because 08:54.000 --> 08:55.000 they are well. 08:55.000 --> 08:56.000 The community is awesome. 08:56.000 --> 09:01.000 It has been proven to be around for a long time. 09:01.000 --> 09:04.000 It's usable and high range support is pretty good. 09:04.000 --> 09:05.000 The hardware. 09:05.000 --> 09:13.000 Well, I bought quite a bit of hardware and sometimes installing OpenWRT is not fun. 09:13.000 --> 09:15.000 And you need to solder whatever. 09:15.000 --> 09:19.000 So I picked hardware where OpenWRT was easy to install and which didn't fail me. 09:19.000 --> 09:21.000 Later, the hardware is so yeah. 09:21.000 --> 09:24.000 Depending on your needs, you may need something different. 09:24.000 --> 09:29.000 And this is not an endorsement of any vendor of any hardware for any software whatever. 09:29.000 --> 09:30.000 Okay. 09:30.000 --> 09:31.000 And yeah. 09:32.000 --> 09:33.000 Security currency ratio. 09:33.000 --> 09:34.000 So it's an average office. 09:34.000 --> 09:36.000 It's not your highly secure government. 09:36.000 --> 09:37.000 Whatever. 09:37.000 --> 09:40.000 You have separate guest Wi-Fi. 09:40.000 --> 09:44.000 If there's wired access, you can just plug in unless it's in the guest room. 09:44.000 --> 09:46.000 There's only wired guest access. 09:46.000 --> 09:48.000 And yeah. 09:48.000 --> 09:51.000 Network separation with relans. 09:51.000 --> 09:56.000 And you should be able to offer people without changing the Wi-Fi password. 09:56.000 --> 09:57.000 Right? 09:57.000 --> 09:59.000 Because people need to be offered all the time. 09:59.000 --> 10:04.000 So I picked WPA free enterprise with certificate which was well. 10:04.000 --> 10:07.000 So just separate relans. 10:07.000 --> 10:08.000 Management with no bilan. 10:08.000 --> 10:10.000 Use network one bilan. 10:10.000 --> 10:11.000 Guest network. 10:11.000 --> 10:12.000 Another bilan. 10:12.000 --> 10:13.000 You're done. 10:13.000 --> 10:16.000 And backbone for authentication is ready. 10:16.000 --> 10:18.000 There were a thing in. 10:18.000 --> 10:21.000 You can talk radius over TLS. 10:21.000 --> 10:22.000 I recommend that. 10:22.000 --> 10:26.000 So you can install Retic proxy which translates radius to radius over TLS. 10:26.000 --> 10:27.000 That's great. 10:27.000 --> 10:28.000 And they all. 10:28.000 --> 10:31.000 The access points do the authentication that way. 10:31.000 --> 10:37.000 I have a certificate generation script which just handles open SSL. 10:37.000 --> 10:40.000 It creates all those slightly different certificate formats. 10:40.000 --> 10:44.000 Because Windows will want different cryptocurrencies compared to Linux compared to 10:44.000 --> 10:48.000 network manager Linux versus other Linux variants. 10:48.000 --> 10:49.000 Et cetera. 10:49.000 --> 10:50.000 It's not fun. 10:50.000 --> 10:53.000 But I have a fully compact script doing everything in that way. 10:54.000 --> 10:56.000 It's inspired by Edurome. 10:56.000 --> 11:01.000 This Wi-Fi roaming infrastructure from universities because first of all Edurome is awesome. 11:01.000 --> 11:05.000 Second, they know how to run a network even if people want to break that. 11:05.000 --> 11:07.000 They know that really well. 11:07.000 --> 11:10.000 So I tripped lots of their docs. 11:10.000 --> 11:14.000 And you could even hook that network to Edurome. 11:14.000 --> 11:16.000 So 40 Wi-Fi access points. 11:16.000 --> 11:18.000 Now there's a long procedure. 11:18.000 --> 11:23.000 Here it also shows screenshots that it's a long list of things you have to do. 11:23.000 --> 11:29.000 Essentially, you go to the OpenWRT webpage and say, OK, I want an image. 11:29.000 --> 11:33.000 For this device add to more feature the packs. 11:33.000 --> 11:36.000 Because the first one makes system upgrades easier. 11:36.000 --> 11:39.000 Because it keeps all the configuration and all the software. 11:39.000 --> 11:44.000 And the second one is, well, you want to access this over TLS. 11:44.000 --> 11:47.000 You request the build takes usually five minutes. 11:47.000 --> 11:48.000 Then you have an image. 11:48.000 --> 11:50.000 And then install that stuff. 11:50.000 --> 11:54.000 Now, installing this, I used a picked a cycle one. 11:54.000 --> 11:56.000 Which is easy to install. 11:56.000 --> 11:58.000 Trade a separate network. 11:58.000 --> 12:00.000 Use that to flash. 12:00.000 --> 12:01.000 I'm going to skip over that. 12:01.000 --> 12:04.000 Due to time constraints, my apologies for that. 12:04.000 --> 12:10.000 But essentially, you upload a critical factory image for OpenWRT, 12:10.000 --> 12:16.000 which means the factory firmware on the access point can handle that one. 12:16.000 --> 12:22.000 And for later updates, you use a different image which is called system upgrade image. 12:22.000 --> 12:36.000 And you up when, once OpenWRT is installed, you connect to the OpenWRT, 12:36.000 --> 12:42.000 and upload the config files, which will be uploaded after the talk, 12:42.000 --> 12:46.000 where you can just get all the configuration I created. 12:46.000 --> 12:48.000 So you can just copy this setup. 12:48.000 --> 12:51.000 And then set a password. 12:51.000 --> 12:54.000 Obviously, I'm not going to set a password for you, but be pointless. 12:54.000 --> 12:59.000 And then, after reboot, you can upload, well, change the password, 12:59.000 --> 13:02.000 and then download the config to change the password. 13:02.000 --> 13:04.000 So you can replicate that over your network. 13:04.000 --> 13:07.000 Use that for all the new other access points. 13:07.000 --> 13:11.000 Rather than switches, same procedure, but a little bit less complicated. 13:11.000 --> 13:14.000 So, not going to repeat that would be stupid. 13:14.000 --> 13:17.000 The radius is just the current devion, unpack the config files, 13:17.000 --> 13:21.000 which are part of the web page, the first and third page. 13:21.000 --> 13:27.000 And the CA also unpack a bunch of scripts, so that's simple. 13:27.000 --> 13:29.000 I don't need to tell you how to unpack this. 13:29.000 --> 13:30.000 And then you're done. 13:30.000 --> 13:32.000 Well, not really. 13:32.000 --> 13:37.000 The bigger problem is, you need to have got the cables. 13:37.000 --> 13:41.000 Depending on how old you are cabling infrastructure is, 13:41.000 --> 13:46.000 you will need to find cables or a socket which I'm not broken. 13:46.000 --> 13:49.000 Depending on the office building and how old it is. 13:49.000 --> 13:51.000 And you need a new Wi-Fi password for guests, 13:51.000 --> 13:54.000 because you're probably not going to use the default password. 13:54.000 --> 13:55.000 I set. 13:55.000 --> 14:01.000 And yeah, there is one big challenge in all of this. 14:01.000 --> 14:03.000 And it's. 14:03.000 --> 14:06.000 The resistance to change. 14:06.000 --> 14:10.000 So, you can do this in a small setup. 14:10.000 --> 14:13.000 I picked mostly silks will gear, 14:13.000 --> 14:16.000 because it worked in the installation was easy. 14:16.000 --> 14:20.000 You can use pretty much anything which is so important 14:20.000 --> 14:26.000 by openWRT, but just make sure you are not going to have to 14:26.000 --> 14:31.000 solar because, well, solar is fun, but it doesn't scale. 14:31.000 --> 14:38.000 So, there is one thing which I really would like to say, 14:38.000 --> 14:41.000 which is a huge thank you to all the people 14:41.000 --> 14:44.000 and if you're an open source community, working on that. 14:44.000 --> 14:47.000 Because the stuff I was using, I didn't have to develop anything. 14:47.000 --> 14:49.000 It just worked. 14:49.000 --> 14:50.000 This is great. 14:50.000 --> 14:51.000 This is awesome. 14:51.000 --> 14:53.000 I benefit from that. 14:53.000 --> 14:56.000 And that's why I want to express my heartfelt thanks 14:56.000 --> 14:58.000 for all those people working on that. 14:58.000 --> 15:02.000 And so, that's also how I want to conclude, still. 15:02.000 --> 15:05.000 Do you have any questions? 15:05.000 --> 15:06.000 Yep. 15:06.000 --> 15:10.000 How do you keep this software out today? 15:10.000 --> 15:13.000 I'm going to give you two like the current software updates 15:13.000 --> 15:15.000 or do you just refresh it? 15:15.000 --> 15:18.000 You're going to pull three bills and refresh it and you probably have an image. 15:19.000 --> 15:23.000 Maybe I can share my... 15:23.000 --> 15:24.000 Sorry. 15:24.000 --> 15:25.000 Oh, you're right. 15:25.000 --> 15:27.000 Repeating the question, obviously. 15:27.000 --> 15:30.000 So, how do you do firmware upgrades? 15:30.000 --> 15:34.000 It just refreshing everything or is there a different method? 15:34.000 --> 15:37.000 So, with OpenWRT, current OpenWRT, 15:37.000 --> 15:40.000 this additional package I recommend it to install, 15:40.000 --> 15:42.000 does this attend its system upgrade? 15:42.000 --> 15:43.000 It just click, okay. 15:43.000 --> 15:47.000 I want to click attend its system upgrade on the device itself. 15:48.000 --> 15:50.000 Can also do it on the command line. 15:50.000 --> 15:52.000 And say, okay, I want a new image. 15:52.000 --> 15:55.000 Current OpenWRT, keep my configuration click. 15:55.000 --> 15:56.000 I will tell you, okay. 15:56.000 --> 15:57.000 Building an image. 15:57.000 --> 15:59.000 Five minutes later, okay. 15:59.000 --> 16:00.000 Uploading the image. 16:00.000 --> 16:01.000 Do you want to proceed? 16:01.000 --> 16:02.000 Click, okay. 16:02.000 --> 16:03.000 Device reboots. 16:03.000 --> 16:04.000 You're done. 16:04.000 --> 16:06.000 So, I think that's pretty comfortable. 16:06.000 --> 16:08.000 That's way better than it was before. 16:08.000 --> 16:09.000 Yep. 16:09.000 --> 16:12.000 What happens during the update phase? 16:12.000 --> 16:14.000 Never had that in the past. 16:15.000 --> 16:16.000 Sorry. 16:16.000 --> 16:17.000 Yeah. 16:17.000 --> 16:18.000 So, what happens if not the update phase? 16:18.000 --> 16:20.000 Never happened to me in the past. 16:20.000 --> 16:25.000 But the gear I picked, which is also the configuration files presented for 16:25.000 --> 16:28.000 is, has good recovery mechanisms. 16:28.000 --> 16:31.000 That's also one of the other things I wanted to address. 16:31.000 --> 16:32.000 Pardon? 16:32.000 --> 16:33.000 Can I stop? 16:33.000 --> 16:36.000 I'll just say, back up. 16:36.000 --> 16:37.000 Back up. 16:37.000 --> 16:38.000 Back up. 16:38.000 --> 16:40.000 Back up. 16:40.000 --> 16:41.000 Back up. 16:41.000 --> 16:42.000 Yeah. 16:42.000 --> 16:44.000 And that also would require a reset button. 16:44.000 --> 16:46.000 You also have a reset button, which can reset the configuration. 16:46.000 --> 16:47.000 So, thank you very much. 16:47.000 --> 16:57.000 Thank you.