Been toying with building a new pfsense rig, just to use newer hardware and something hopefully more power efficient than the current 1U server I'm using.
I figure since this is going to be a scratch build and also facing the internet directly on one side, I want to take hardware level security into consideration. There's been lot of talk about backdoors in various hardware and I want to try to avoid those. The biggest one is probably the Intel ME one which allows remote access but not much details are known on it and Intel has been rather secretive about how it works so it's hard to even confirm if it's present. Is there any known ways to perhaps, make it so it does not work? For example, if I use a separate NIC instead of the onboard one, and make sure to use a Realtek or maybe even some obscure off brand, does that make sure the backdoor does not work? There are allegations that there is also a 3G radio in the ME backdoor, has this ever been proven/debunked or is it still unknown? What if I go AMD route? I have not found much details on the AMD backdoor but did hear they have one too, any more details on that? I found that a bunch of vulnerabilities were found in the cpus, but it sounds like those require existing system access. Ex: they are not remotely executable. So I won't really worry about those. Is this the case or do they have a backdoor too? Between AMD and Intel what is going to be more secure? I'm worried specificly about remotely hackable stuff as this will face the internet on one side. (WAN interface)
I actually am leaning the AMD route, just because everything seems to be cheaper. The motherboards are cheaper and so are the CPUs and those tend to be the biggest costs of a build. Since I don't need a lot of power I would probably go with an APU. Some are even under $100. It seems with AMD CPUs, you need a separate video card even if the motherboard has onboard video. (I learned that he hard way) but the APUs don't. I put a build together on Memoryexpress and was able to get it under $500 without the case so that's pretty good. Will probably end up building my own case. Rackmount cases are too expensive for nothing and the selection tends to be poor.
In general, just looking for any ideas so I can try to get around the various backdoors found in hardware these days, so I can prevent being remotely hacked. Is there any other backdoors to be concerned about? I know there was some in Supermicro too, but think those ones turned out to be false? Any real proof of this? What about other motherboard manufacturers?
I'm also open to ideas for other solutions like embedded PCs that would have at least 2 nics, though I'm kind of leaning towards a standard PC build as it's a bit more versatile. I may turn it into a small VM server that will run pfsense and maybe some other network gateway related VMs. Though that would bring me into more expensive territory as I'd have to go with server class CPUs that have VT-D. Not ruling it out, but probably won't end up going that route, and I'll just install pfsense straight on bare metal.
I figure since this is going to be a scratch build and also facing the internet directly on one side, I want to take hardware level security into consideration. There's been lot of talk about backdoors in various hardware and I want to try to avoid those. The biggest one is probably the Intel ME one which allows remote access but not much details are known on it and Intel has been rather secretive about how it works so it's hard to even confirm if it's present. Is there any known ways to perhaps, make it so it does not work? For example, if I use a separate NIC instead of the onboard one, and make sure to use a Realtek or maybe even some obscure off brand, does that make sure the backdoor does not work? There are allegations that there is also a 3G radio in the ME backdoor, has this ever been proven/debunked or is it still unknown? What if I go AMD route? I have not found much details on the AMD backdoor but did hear they have one too, any more details on that? I found that a bunch of vulnerabilities were found in the cpus, but it sounds like those require existing system access. Ex: they are not remotely executable. So I won't really worry about those. Is this the case or do they have a backdoor too? Between AMD and Intel what is going to be more secure? I'm worried specificly about remotely hackable stuff as this will face the internet on one side. (WAN interface)
I actually am leaning the AMD route, just because everything seems to be cheaper. The motherboards are cheaper and so are the CPUs and those tend to be the biggest costs of a build. Since I don't need a lot of power I would probably go with an APU. Some are even under $100. It seems with AMD CPUs, you need a separate video card even if the motherboard has onboard video. (I learned that he hard way) but the APUs don't. I put a build together on Memoryexpress and was able to get it under $500 without the case so that's pretty good. Will probably end up building my own case. Rackmount cases are too expensive for nothing and the selection tends to be poor.
In general, just looking for any ideas so I can try to get around the various backdoors found in hardware these days, so I can prevent being remotely hacked. Is there any other backdoors to be concerned about? I know there was some in Supermicro too, but think those ones turned out to be false? Any real proof of this? What about other motherboard manufacturers?
I'm also open to ideas for other solutions like embedded PCs that would have at least 2 nics, though I'm kind of leaning towards a standard PC build as it's a bit more versatile. I may turn it into a small VM server that will run pfsense and maybe some other network gateway related VMs. Though that would bring me into more expensive territory as I'd have to go with server class CPUs that have VT-D. Not ruling it out, but probably won't end up going that route, and I'll just install pfsense straight on bare metal.
Facebook
Twitter