View Single Post
  #8   (View Single Post)  
Old 30th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Randux View Post
Secure to me is pretty simple because I mean if something can break in, my lan is insecure, if they can't it's secure.
Intrusions might occur many different ways. Some examples of ways information can be obtained, or changed.... on your network, with or without OpenBSD in the mix:
  • Passive capture of packets sent in-the-clear
This seems obvious for wireless networks, but is also quite true of wired networks. At any "hop" along the communication routes, packets may be examined. Unencrypted Email should be considered as secure as a post card. But not just Email, because any traffic from or to your LAN sent in-the-clear should be considered insecure. The risk may be low, since in general, only telecommunications companies and governments have easy access to such traffic ... but keep in mind, packets en-route on the Internet can be diverted along the way, possibly for passive examination, with little technical difficulty, and they have been. See http://cyberarms.wordpress.com/2011/...tire-internet/ and the discussion of what happened to 15% of the world's Internet traffic in April 2010.
  • Man-in-the-middle (MITM) attacks
This is actively changing selected packets, or introducing new packets, into an existing data communication session, by a 3rd party. This will always be significantly more complex than passive interception. Typically, the MITM is involved at session initiation, and passes changed or new packets only after authentication and authorization has completed.
  • Spoofed end-point
While this is often how MITM attacks establish themselves, the so called entry vector, spoofed servers are far more common than MITM attacks. Anyone can set up a commonly branded but fake bank website and use it identity theft and account draining scams.

There are many variations to spoofing servers, from the simple social engineering links in spam with disguised URLs to something as complex as "DNS Spoofing" -- this latter provides the IP address of the bad guys' Evil Site when the domain name request was for the user's Good Site.
  • Beachhead
By far the most common problem, and the one you should pay very close attention to. This is where a foothold is gained on a platform inside the network, from outside, and command-and-control is gained. Of all of the beachead vector attacks, the most famous example from last year was Stuxnet, though by the millions, Windows platforms are used as spambots. http://en.wikipedia.org/wiki/Stuxnet

Windows platforms are especially susceptible to these. There are many reasons, and not all of them are Microsoft's fault. Remember, though, that Windows is not the only platform on which beachheads can be established. All are susceptible. And yes, even OpenBSD, if an admin makes a provisioning mistake.

Once an Evil program is running on the workstation, any communication it initiates will be seen by the NAT router as normal traffic, and the router will permit 2-way communication. Anything that workstation has access to at that point is available to the intruder. Not just information on that workstation, but on any reachable network. Including the rest of your LAN.
Quote:
...I want to figure out how to orphan it if that is possible.
What do you mean be "orphan"? You could put your Windows platform on its own isolated subnet, so that it lives in its own DMZ, and cannot route packets to your valued, trusted subnet. To do this, you would need to replace your little router with something more capable (such as OpenBSD), or add an additional router (such as OpenBSD) just for the Windows platform. You would architect separate physical networks, with no valid routes between them.

Of course, if you do that, the Windows platform cannot communicate with services you might eventually want to offer it on the more trusted LAN, such as printers, web, or file servers. Using PF (if OpenBSD were a router), you could limit connections to just those you wish. But the services you permit might provide a vector into your trusted LAN -- it will be dependent on the services you allow, and what kind of vectors they might offer an attacker who has command and control of the Windows platform.

If you leave things open between the Windows platform and the rest of your LAN, then "orphan" only after a problem is noticed -- well -- I recall an analogy regarding barn doors and cows, which seems applicable in that situation.
Quote:
I use MAC filtering, a limit to number of connected devices (just what we are expected to have online) and WPA2 PSK-AES. Keys are refreshed about monthly.
WPA2 is the current common "state of the art" for built-in WiFi encryption. (If MAC filtering were all you were using, that would only keep out the uninterested. In this case, I don't perceive it adds any value.)
Quote:
So far I have not had any blatant activity but I used to see some kernel traces from Linux that seemed to me wierd outside addresses somehow tried to get into my Linux boxes. I don't know how that could be or what to look for.
Do you mean network traces? Kernel traces examine process and system calls from applications, not network traffic. In any case, with a NAT router in front of those Linux boxes, you would expect incoming traffic through the router only for established sessions, initiated by the associated Linux box.
Reply With Quote