View Single Post
  #4   (View Single Post)  
Old 30th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,424

Originally Posted by Randux View Post
...I have been concerned because of how bad Windows security track record is on every conceivable exploit and I want to figure out a way to lock down my lan...
You will have to provide a narrower definition than "secure" -- without context, this is a relatively meaningless term. Most of the "exploits" you are concerned with attack Windows users through social engineering, and cannot be prevented by "locking down" (whatever that may mean) your local area network.

For instance, OpenBSD will never prevent your wife from clicking on a link from a "ScareWare" site trying to sell fake antiVirus software, and downloading some sort of horror. It can, however, prevent her Windows platform from becoming a functioning spambot, by blocking any outbound TCP packet with a destination port #25, for example. But you will have to define what you mean by "security".
I have a DSL router and all of my lan is cabled to it except for the Windows box that uses wireless. Is there any way I can make a padded cell around either my lan or the Windows box just using my router or do I need to start thinking about setting up an openbsd firewall box?
You will need to start by clearly defining your requirements. For example: what "security" do you have in place on the wireless subset of your local area network? The first five of these wireless "security" arrangements are possible with an inexpensive, consumer-grade router that you might have installed yourself, or been supplied by your DSL service provider. Items 6 and above will require something beyond that equipment and OpenBSD might certainly be a piece of the infrastructure. It may not be obvious, but some of these technologies I mention are considered to be better than others. In some cases there is general agreement, in others, disagreement as to their value.

Do you know what these are? Do you have an opinion? Have you implemented any of these (first five) in your environment?
  1. MAC filtering
  2. WEP encryption, 40-bit
  3. WEP encryption, 128-bit
  4. WPA encryption, with private shared keys
  5. WPA2 encryption, with private shared keys
  6. WPA2 encryption, with certificates
  7. OpenVPN
  8. IPSec
  9. AuthPF
The wireless section of your LAN is only one component. What about the rest of your environment? What I know:
I have crappy rural home internet service with dynamic ipv4 and no external services. In the future I would like to support ssh and maybe a web server or two.
I will assume that you are using a single IP address on the Internet, with a private subnet (such as 192.168.x.x) using Network Address Translation (NAT). The default "security" provided by these devices is NAT itself. It prevents unsolicited packets from being forwarded by the router to a device behind it. NAT routers keep "state tables" for traffic initiated by devices on the local side, in order to forward response packets to the correct device. If they don't have an established state for an incoming packet, they reject or ignore it.

In addition, some of these routers offer additional "security features" -- simple packet filtering from a web-based menu. Your router's manual may indicate if this is possible, and what those various filters do.

NAT routers can also do what is called "port forwarding" -- the TCP and UDP protocols use four bytes in the protocol headers to describe initiation and destination ports. By provisioning port forwarding, you can define a destination device for certain unsolicited packets, based on the destination port number. Using your examples, that might be TCP packets with a destination port of 22 get routed to a device running sshd(8), or a TCP packet with destination port of 80 gets sent to your webserver. Assuming, of course, that your ISP permits TCP packets destined to port 80 through at all. They may block them, to prevent consumers from running websites on home servers.

Last edited by jggimi; 30th June 2011 at 03:19 PM.
Reply With Quote