[0fcf8d3559a64c]

I am sick of having to assume my network hardware is trivially compromised.

What will it take for me to be able to purchase a microkernel driven router/access-point with audited drivers (or Rust based)? I would settle for mediocre performance (ie no gigabit) if I could have some strong security guarantees.

Can I setup Redox or seL4 as home network hardware at this point? Or would the pain threshold still be quite high?

[hpkuarg]

I run an OpenBSD router at home. I'm not sure if that would satisfy your security requirements.

[dehrmann]

> I am sick of having to assume my network hardware is trivially compromised.

I don't have the gateway my ISP gave me on my LAN for this reason. I do have to laugh a little bit about people who use a VPN to hide requests (DNS? Because most of the web is HTTPS, now) from their ISP when their ISP has a device on their network.

[WorldMaker]

Even personally owned hardware has its risks from today's ISPs. DOCSIS standards require every off the shelf cable modem to basically have giant "management" back doors for the ISPs. They can remotely install firmware updates to your modem that you own for "your safety" and there's not much you can do about it.

[nicolaslem]

The tough part in my opinion is the access point. You either have to:

- Put a wireless card in the router, but a lot of them are crap (limited features, not dual band, require closed firmware, not compatible with *BSD...)

- Buy an access point appliance, but most of them are as secure as the Netgear devices of the fine article.

[antsar]

> - Buy an access point appliance, but most of them are as secure as the Netgear devices of the fine article.

1. The AP isn't directly exposed to inbound traffic from the internet.

2. You can put the AP's management interface on a VLAN without internet access and/or use firewall rules to the same effect.

I'm way less worried about the security posture of my AP than my internet-facing router.

[theincredulousk]

Get an enterprise router/firewall.

Also most of these vulnerabilities (as the article points out) are in the web server. If the web server isn't exposed,it isn't of much practical security concern.

I've also run DD-WRT for years with excellent results. Per the usual benefits of open source and active maintainers, it is generally going to (a) have the trivial stuff already addressed (b) keep up to a reasonable extent with security patches.

[user5994461]

>>> Get an enterprise router/firewall.

I would have said the same some time ago, working in networking in a world largely made up of Cisco.

But then a few major vulnerabilities later and blog posts disclosing vulnerabilities that they refused to acknowledge when contacted. Then I'm not sure paying for enterprise equipment is a solution anymore.

[cptskippy]

You seem to imply that by virtue of being a microkernel, an OS will be imbued with magical powers preventing it from being compromised.