Yoggie Open Firewall SOHO

You may have noticed a couple of news articles from Yoggie over the past months, indeed we've had hardware from them previously to review .. however this is the first kit we've seen that's "for" Linux rather than something that's been made "for" Windows, "from" Linux. Certainly a step in the right direction!

What is it?

Essentially it's a very small ARM powered PC with 128Mb of RAM, 40Mb of flash disk and two ethernet ports .. and there's space for an SD slot for extra flash. (which I'm told is "coming")

Apparently there is 128Mb of disk and the SD slot is there .. part of the disk is unformatted and the SD
card slot does not come with kernel drivers enabled by default ..

Why is it interesting?

Ignoring the hype and press-releases just for a second (as they can be confusing) it all comes down to 'bang for your buck'. Essentially you get a complete Linux computer for (currently) $79, or $99 when the special offer runs out. At $79 there are many things you could just about justify using the kit for, which makes it interesting .. at $99 it becomes more difficult so whether they push the price up might be make or break for them - we'll see!

The Good!

Ok, it's billed as an "Open Firewall" platform and indeed the hardware is well suited. The CPU is pretty nippy and there's enough memory and "disk" to host a firewall application and do the business with regards to routing and packet filtering. (and then some!) In fact, I could see many applications for this device, number one being a platform for OpenVPN. At the moment I need to carry secure VPN keys around on my laptop, and being the size it is I'm often having to leave it in the boot of my car - not a preferred solution. If I need to access the VPN without my laptop I'm a bit stuffed as loading keys onto a foreign machine is rather .. insecure!

Enter Yoggie!  You could run OpenVPN on the device and store the keys on the device .. which would make it ideal for carrying around instead of a laptop. You could then VPN enable *any* machine simply by plugging the machine into it .. and when you take the Yoggie away, any remote access information the machine may have gleaned is null and void. And, it's not an unreasonable size to put in your pocket. (it's smaller and lighter than my mobile (!))

Access is via port 8443 (SSL) using a web browser, or via pure SSH - both worked first time for me.

The Bad!

This is where we start to see a few issues.. the "documentation". All that came with it was a small square of paper essentially with their web site URL on it - not exactly extensive for a complete security product. Yes I was able to plug it in and get it going without using even that, however not all users have 18 years Linux experience under their belts (!)

Ok, there is more documentation - just refer to the "Pico" manual as it looks to be the same "under the hood"

Then we have the discrepancies, XScale CPU - tick, 128Mb RAM - tick, 128Mb of flash disk - Ooops, I only see 40Mb, SD Card slot - Ooops, I seem to have a hole where there could be a slot. I'm getting the impression that parts of the device are a work in progress.

The SD Card slot is there, just with no kernel support, and the 128Mb disk is there, just not completely formatted.

Now we come to instructions on how to access the Yoggie and I'm told (looking online) to access 172.16.0.1. I'm puzzled as I don't have a local interface with an address on this range, so I do a little digging. Turns out that there is a USB network driver on the Yoggie, unfortunately it doesn't appear to be supported by the Ubuntu on my laptop .. maybe I'll upgrade it to the most recent version of Ubuntu, however I can't find any documentation telling me about the driver, where to get it, or what versions of Linux it works with.

So, fall-back to trying one of Yoggie's ethernet ports - Yippie, 192.168.4.1 works first time and I have ssh. I'm genuinely surprised at how responsive the system is from the command line, maybe it's just a long time since I've used a slower CPU but it does seem like quite a bit of power for a USB powered $79 unit.

Note that you can use yoggie.yoggie.com:8443 IF you use a DHCP issued name server ...

The Ugly!

So we'd better take a look at the web based GUI, which does look rather spectacular and from reading above, as you'd expect runs like greased lightening. The opening screen shows the current risk level and the number of firewall events it thinks are current. Little bit confusing at first until you realise that the picture will appear immediately but the dials will take maybe 10-15 seconds to respond, it which point (in this instance) they swing around the the current levels.

Now you're thinking "but this is pretty, not ugly!" , well if the figures it displayed were representative then I would be inclined to agree, however ...

Then we have a nice graph (and it is nice) showing recent activity. It's a rather pretty javascript type effect with a 3D zoom in and a 2D / print option, someone has certainly put a lot of effort into the presentation. This is much nicer than the GUI control panels one tend to see on routers etc in the same price bracket.

Anyway, all very nice, so let's see if it actually works .. unfortunately, it does rather look like (at the moment) it doesn't work, at least not in the way I'm expecting it to.

Here's my list of quibbles

A number of these are show stoppers and although I may be doing something 'wrong', the fact that "I" can do something wrong and not realise, does make releasing to end-users 'questionable' ..

• Out of the box the Yoggie comes with all firewalling turned off, so there is no protection for your computer at all .. yet the front panel sits there and says "Firewall Events Zero" and "Risk Level Low". Whereas I can see the technical correctness of this, to tell a user he's safe when he's exactly the opposite is .. well .. let's just say it's a show-stopper.
  

  Apparently this is / should not be the case .. I've just re-tested my Unit and verified my results .. 
  it may be my device is faulty or out of date.

• Next, we try to enable the outbound port black and white lists. Not being particularly switched on, we don't select any specific ports, we just turn on the services .. tick .. tick .. apply. Hey presto, we've just rendered our PC unable to connect to the Internet. So, untick, untick, apply .. move on.
• Next, it's time we enabled the firewall, let's block all traffic and give ourselves maximum protection! How .. well first of all there's no Wizard so the average user is stuffed already. Luckily I know a thing or two about networks so I add an Inbound filter for 0.0.0.0/0 on port range 1-65535 of type TCP with action = "Block". Sound good? Well, it certainly stops me from accessing the Yoggie from an external address, however it has bugger all effect on my accessing my laptop THRU the Yoggie. i.e. the Yoggie is quite happily protecting itself, but not my laptop. When I try to NMAP the laptop or login via SSH, it kindly ups the risk level for me and tells me that it's logging firewall events - but it's not stopping the access! Eeek!
  

  As above, should not be the case, might just be my device (!)

So,it's billed (initially) to do one thing - which is to protect your computer.

Now it's "close" and I'm sure can be made to work, but my demo unit does not appear to do what it says on the can!

What comes next?

Well firstly, if you're not a developer then this product may not be for you just yet. What "I" would like to see next is;

• Fix the issues on my quibble list above (or if I've got it all wrong, provide some appropriate documentation!)
  
• Add some basic documentation to go out with the device (I guessed the system password before I was able to find it online!)
• Do a little bit with the USB network driver, as the ethernet driver works and will be supported on most versions of Linux, and as the USB driver does not work on the most popular Linux, it might be as well to "not mention" the USB network port and re-jig the documentation just to use the 192.168.4 address on the normal internal ethernet port. (which just leaves the USB as a power socket)

At that point I think we'll see a viable (and for $79) cost-effective generic firewall product that's going to work nicely for any machine  (or small group of machines) connecting to the Internet via a wired connection.

And after that?

Well, running ahead of myself there are a number of projects I think I could apply this hardware to, a portable VPN node being one of them (as mentioned above). So I did try to compile up OpenVPN for the box, or at least I started to research "how" to.

First one needs an ARM cross compiler, then an ARM environment, then you need to make the OpenVPN source compile in this environment etc etc .. once I figured there was no ARM /gcc cross compiler  in the repos I temporarily gave up. What we really want is a VMWare (or similar) image we can load up for porting software.. maybe a few hours work for the developers or a few weeks for anyone else (!)

I think if they can make it easy for people to port applications, then there are all sorts of opportunities .. think; a linux box in your pocket for $79, and with an SD card many Gb's of storage .. VPN nodes, personal secure file storage .. your own private portable web server .. your own portable Asterisk VoIP PABX, there are many opportunities.

I'd love to see if I can get Plone working on a Yoggie .. it would make presentations and demonstrations Soooo easy .. (!)

USB keys are great, but their security is only as good as the machine you plug it into .. with a Yoggie, your security is as good as the Yoggie, which is a self contained Linux machine, which makes it pretty damn secure!

Summary

When the niggles are out and it looks like I'll be able to port my own apps without devoting a few weeks to the process, I'd be quite up for buying one of these for myself. At this point I'll re-visit this review and let you know what's new!