Who we are and what we do
● CZ.NIC is the operator of .CZ TLD domain
● Not-for-profit oranization
● Projects for the good of the Internet
● BIRD routing daemon, Knot DNS server● DNSSEC plugins for browsers, security research● and much more...
● We run the Czech national CSIRT team
● Everything we do is open-source
What is project Turris
● Security research in SOHO networks
● distributed anomaly detection● distributed measurements● centralized security management
● Router as a security probe and protection
● Introduce new technologies to SOHO networks
● DNSSEC, better IPv6
● OpenWrt + custom hardware
Current status
● Started in 2013
● 1000 routers given to volunteers for free in 2014
● 1000 more now in process of distribution
● Highlights
● 10 large automatic updates, including major OpenWrt version● malware in LAN caught in >20 cases● botnet of more than 20,000 ASUS routers found
Output
● public global statistics
● IPv4/IPv6, most attacked port, attacking countries,...
● more stats available to individual users
● greylist of suspicious IP addresses
● portrend – ports blocked on firewalls
● everything is on https://www.turris.cz/
Hardware for project Turris
Turris 1.0 Turris 1.1
Hardware highlights
● P2020 dual-core PPC @1.2 GHz
● 2 GB RAM in SO-DIMM slot
● 5 Gbit LAN ports + 1 Gbit WAN port
● 16 MB NOR + 256 MB NAND flash
● 2 miniPCIe slots (one used by Wifi)
● Integrated debug console with FTDI chip, dimmable LEDs :), ...
Made in Czech Republic
Turris OS – our fork of OpenWrt
● Automatic updates
● Different partition setup (no SquashFS, everything updatable)
● Basic software changes
● Virtually no space constraints● Unbound as default DNS resolver - DNSSEC support● OpenSSH instead of Dropbear● Foris – our simple set-up wizard
● Finer control of released versions
How we work
● We follow upstream
● with some delay● SVN + GIT do not mix that well :(
● We try to push stuff to upstream
● with mixed success – hope to improve that
● We test on machines and people
● Lava, considering BoardFarm● Tiered distribution of updates
What we can offer
● Updater – our system for automated updates
● Majordomo – statistics of LAN devices traffic
● NUCI - NETCONF interface to UCI
● experience with DNSSEC on SOHO device
● Specific hardware support
● https://github.com/CZ-NIC
Turris Omnia (aka Lite)
● Demand for Turris outside Czech Republic
● First publicly available Turris
● No need for profit
● Router designed for geeks
● Built for and shipped with OpenWrt
● Open hardware
Omnia – hardware details
● SoC Marvell Armada 385 @ 2 x 1.6 GHz
● 1 GB RAM
● 4 GB eMMC + 8 MB NOR
● 5 + 1 Gbit port + SFP
● dedicated line for WAN port + SFP● 2 lines between CPU and switch chip
Omnia – more hardware details
● 2 x USB 3.0
● 3 x miniPCIe (one switchable to mSATA)
● optional wifi in 2 slots, SIM slot● RTC chip with battery backup
● Cryptochip for better entropy in RNG
● Dimmable programmable RGB LEDs
● 10x GPIO, 2x UART, SPI, I2C on pinheader
Omnia – more hardware details
● 2 x USB 3.0
● 3 x miniPCIe (one switchable to mSATA)
● optional wifi in 2 slots, SIM slot● RTC chip with battery backup
● Cryptochip for better entropy in RNG
● Dimmable programmable RGB LEDs
● 10x GPIO, 2x UART, SPI, I2C on pinheader
Omnia - benchmarks
TP-Link TL-WDR4900 v1
Gateworks Ventana GW5104
Project Turris
Linksys WRT1200AC
Raspberry PI 2 Model B
Wyse R90L ThinClient
Linksys WRT1200AC
Turris Omnia
0 100000000 200000000 300000000
MD5 benchmark
Linksys WRT1200AC
Wyse R90L ThinClient
Northstar Prototype
Raspberry PI 2 Model B
TP-Link TL-WDR4900 v1
Project Turris
Turris Omnia
Linksys WRT1200AC
0 50000000 100000000
AES-128 benchmark
extra accelerationoff in Omnia
Omnia - status
● First prototype running with bugs to fix
● Second prototype in November
● 1300 routers preordered (non-bindingly) on our website
● Indiegogo campaign in preparation
● Manufacturing in Q1 2016
● Would you like one? https://omnia.turris.cz/
Here we are...
We love OpenWrt!
Talk to us and let's find the best way to cooperate