1

I need to install a computer in a remote location, so that a specific unique user can remotely connect to it via Wireguard VPN. Performance requirements are very low, but security requirements are very high (needs to be very secure against remote attacks).

I could either buy a new computer, but I have an old Dell XPS420 (2.4GHz Intel Core 2 Quad Q6600) lying around, and I'm wondering if I could reuse that.

I can install an up-to-date Linux distro, and setup tight security on the wireguard server, so that part should be fine. What other vulnerability, beyond the OS, should I consider? The only other one I can think of is the BIOS.

I believe the only BIOS Dell makes available is the A07, from 2009. Does it present vulnerabilities that can be exploited remotely?

If yes, I will change the motherboard, but reuse all other pieces. Is it reasonable?

DevShark
  • 343
  • 1
  • 10

3 Answers3

1

A remote attacker can only see exposed services. If you can trust the TCP/IP stack provided by you Linux distro and the servers that you will expose, then the configuration can be trusted to be secure against remote attacks.

The hard part when using old systems, is not really that their hardware (including BIOS) is obsolete. But you are more likely to end with a system that will no longer be fully supported by the last releases of the OS or the required applications (generally because of a missing hardware component like for example a TPM). When it happens, you have indeed to choose between a physical upgrade to use the last functionalities, or only stay with the old ones if they still meet your requirements.

And IMHO, the real hard part is to correctly configure the system to reach the expected security level (clearly define the threats and security constraints...) and mainly to keep it up to date after the initial installation...

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
  • Linux dropped support for 486 processors just now, so I would say a Core2 would run Linux for another decade, maybe more. – ThoriumBR Nov 07 '22 at 12:04
0

Using an older computer for a security-sensitive task can actually be seen as an advantage, as long as the computer is powerful enough.

In newer computers, everything (hardware, drivers, BIOS, etc...) is more complex and has less history of being exposed to both good and bad eyes. This is why newer computers are expected to have more unknown vulnerabilities.

In short, go for it.

If this fails for one reason or another, your second bet could be a router with a wireguard capability - built in or installable.

fraxinus
  • 3,458
  • 6
  • 20
0

There are several hardware and firmware vulnerabilities that have been reported and have been addressed to a certain extend (either by software patches or by re-designing the hardware itself). Whether your hardware is vulnerable to any of these, under any circumstance, needs to be verified though.

In the old days, using an old computer as a dedicated firewall or a VPN server was not a problem. However now that hardware vulnerabilities are well established and exploited, I would be extra careful in doing it; even if you understand how hardware vulnerabilities work, it requires a lot of specialized knowledge in order to verify whether a piece of hardware is affected or not.

In the end of the day, it's all about risk; if you know you'll be targeted by dedicated and resourceful adversaries, I wouldn't recommend using old hardware. Else, by running a fairly recent version of your target OS that has all the required patches, it wouldn't be a problem from a security point of view.

See also this older question.

Spyros
  • 1,451
  • 1
  • 14