View Single Post
  #5   (View Single Post)  
Old 30th June 2011
Randux Randux is offline
Disgruntled desktop user
Join Date: May 2008
Location: Siberia
Posts: 100

Originally Posted by jggimi View Post
You will have to provide a narrower definition than "secure" -- without context, this is a relatively meaningless term.
Secure to me is pretty simple because I mean if something can break in, my lan is insecure, if they can't it's secure.

Originally Posted by jggimi View Post
Most of the "exploits" you are concerned with attack Windows users through social engineering, and cannot be prevented by "locking down" (whatever that may mean) your local area network.
Fair enough, and I don't care what happens to that box, I just consider it a weak point into my lan so I want to figure out how to orphan it if that is possible. That's why I said I want to make a padded cell either around the windows box or my lan, if possible.

Originally Posted by jggimi View Post
For instance, OpenBSD will never prevent your wife from clicking on a link from a "ScareWare" site trying to sell fake antiVirus software, and downloading some sort of horror. It can, however, prevent her Windows platform from becoming a functioning spambot, by blocking any outbound TCP packet with a destination port #25, for example.
I installed and setup kerio on her box which is what I do on all windows boxes I have anything to do with, and I look at spybot once in awhile. I tell her not to answer popups from kerio, so we should get notified if anything funny happens.

Originally Posted by jggimi View Post
But you will have to define what you mean by "security".You will need to start by clearly defining your requirements. For example: what "security" do you have in place on the wireless subset of your local area network? The first five of these wireless "security" arrangements are possible with an inexpensive, consumer-grade router that you might have installed yourself, or been supplied by your DSL service provider. Items 6 and above will require something beyond that equipment and OpenBSD might certainly be a piece of the infrastructure. It may not be obvious, but some of these technologies I mention are considered to be better than others. In some cases there is general agreement, in others, disagreement as to their value.

Do you know what these are? Do you have an opinion? Have you implemented any of these (first five) in your environment?
  1. MAC filtering
  2. WEP encryption, 40-bit
  3. WEP encryption, 128-bit
  4. WPA encryption, with private shared keys
  5. WPA2 encryption, with private shared keys
  6. WPA2 encryption, with certificates
  7. OpenVPN
  8. IPSec
  9. AuthPF
I use MAC filtering, a limit to number of connected devices (just what we are expected to have online) and WPA2 PSK-AES. Keys are refreshed about monthly. She doesn't access services on my lan so I could rope that box off without upsetting anybody if I knew how to do it.

Originally Posted by jggimi View Post
The wireless section of your LAN is only one component. What about the rest of your environment? What I know:I will assume that you are using a single IP address on the Internet, with a private subnet (such as 192.168.x.x) using Network Address Translation (NAT). The default "security" provided by these devices is NAT itself. It prevents unsolicited packets from being forwarded by the router to a device behind it. NAT routers keep "state tables" for traffic initiated by devices on the local side, in order to forward response packets to the correct device. If they don't have an established state for an incoming packet, they reject or ignore it.
Yes, thanks. That is about all I know. It's after that I need help.

Originally Posted by jggimi View Post
In addition, some of these routers offer additional "security features" -- simple packet filtering from a web-based menu. Your router's manual may indicate if this is possible, and what those various filters do.
My router is made in a third world country, is non standard and has no doc. The "English" on the menus is not exactly helpful. The router itself seems to have plenty of features but since I'm not knowledgeable in comm issues I don't understand most of them. I understood enough to setup wpa2, connection limits for DHCP leases, and mac filtering, but not much more than that.

Originally Posted by jggimi View Post
NAT routers can also do what is called "port forwarding" -- the TCP and UDP protocols use four bytes in the protocol headers to describe initiation and destination ports. By provisioning port forwarding, you can define a destination device for certain unsolicited packets, based on the destination port number. Using your examples, that might be TCP packets with a destination port of 22 get routed to a device running sshd(8), or a TCP packet with destination port of 80 gets sent to your webserver. Assuming, of course, that your ISP permits TCP packets destined to port 80 through at all. They may block them, to prevent consumers from running websites on home servers.
Thanks yes I understood that part too and until now have not wanted to access my lan from outside. Really I prefer a wired setup for security reasons and again only put on the wireless because of the windows box that has no other way to get to the internet.

So far I have not had any blatant activity but I used to see some kernel traces from Linux that seemed to me wierd outside addresses somehow tried to get into my Linux boxes. I don't know how that could be or what to look for. Now I have alot more machines around and I would like to consider allowing ssh into my lan and serving static content from apache with ssl but before I do that I would like to understand how to make sure the windows box isn't a gaping hole in the lan. Thanks.
__________________ refugee #27
Multibooting with LILO

Last edited by Randux; 30th June 2011 at 05:04 PM.
Reply With Quote