On 10/13/14, Travis Biehn <tbiehn@gmail.com> wrote:
... Interested in update mechanisms, interdiction resilience, trusted boot, web / other interfaces.
These devices just change and expand your threat surface.
back in 2007/2008 we launched the Janus Privacy Adapter devices. first on dual NIC gumstix, then on the now defunct Yoggie Gatekeeper Pro hardware. both of these had a minimal footprint, two ethernet jacks for transparent proxy in-line, and power via USB. updates deployed via hidden service, or yourself via command line ssh. the attack surface (on device) was minimal, as the control port was not exposed to the network, etc. client risk is another story, considering untrusted exit relays and insecure protocols. for this reason we applied a number of band-aids blocking known risky ports. this is not an effective approach, and EPICFAIL shows how a single request not behind Tor proxy unmasks perfectly. best case you would use a Tor Browser on each of the hosts behind the privacy appliance in transparent proxy mode. (e.g. TOR_TRANSPROXY=1 before launching) and block any other application or service from communicating over the network. this significantly impairs functionality, however. as also mentioned in the article, there have been other variations on this theme, with more or less robust security posture on device and for the users behind. many of these considerations are outlined in the transparent proxy page: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy best regards,