DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default Using OpenBSD as a second router

I live in a college dormitory, and I don't particularly trust all the users on the school's network.

I'm wondering if I can set up an OpenBSD computer with pf and whatever else is necessary for security between my own PCs and the school's router to protect myself



like in this wonderful piece of art I drew up.

I guess there is really no way to encrypt incoming internet traffic that comes in from the school's router to OpenBSD then my computers, since anyone can sit there on the router's connection and peek at everything that comes rolling in, but I'd like to at least encrypt all of my outbound traffic by sending it to the OpenBSD computer first, then having OpenBSD ship out all the traffic encrypted so nobody can sniff the information (I'm not sure what's stopping them from decrypting all of it, but hopefully the encryption method available in OpenBSD will take a user lots of processing power and lots of time to crack). If there's a better solution for this, please let me know.

Also I hope that it is a given that if anyone tries to target my connection through the router, they'll just hit the OpenBSD firewall and not be able to bypass it into my personal computers. If this isn't true, please notify me of this as well.

As my knowledge on networking is less than par, I'm hoping the people on this OpenBSD forum might be able to be of assistance. Thanks in advance.
Reply With Quote
  #2   (View Single Post)  
Old 7th March 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

OpenBSD could be used to setup a private network in your residence, but the OpenBSD system itself would still associate with the college router the same way as other students do, i.e: encrypted wireless via WEP or WPA?

We don't know enough about your setup, but establishing a secure tunnel with that college router is probably not an option...

It would be possible to securely tunnel connections to somewhere outside of the college.. a friends house?

Anyway, hope that helps.
Reply With Quote
  #3   (View Single Post)  
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

There's no wireless encryption on the router, so anyone who is outside can connect to them (but the router administration itself is passworded).

I used to have internet at home, but cancelled the service because:

1) I am at school 10/12 months
2) I need to save money

#2 leads to the reason why I don't set up my own internet in my dorm room.

So tunnelling is out of the question as I don't know anyone I can trust with the personal information I need to be transmitting online (logging into bank account, e-mail, etc.)

Do you have any other suggestions?
Reply With Quote
  #4   (View Single Post)  
Old 7th March 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by paran0iaX View Post
...but I'd like to at least encrypt all of my outbound traffic by sending it to the OpenBSD computer first, then having OpenBSD ship out all the traffic encrypted so nobody can sniff the information (I'm not sure what's stopping them from decrypting all of it, but hopefully the encryption method available in OpenBSD will take a user lots of processing power and lots of time to crack).
Perhaps you need to further describe how you envision "encryption". Yes, OpenBSD can encrypt network traffic, but fundamentally you need control over both end-points. If you do, then you could look into some form or VPN or IPSec connection.

Note however, that OpenBSD does not have a monopoly over these technologies. Other operating systems offer them as well to varying degrees.
Reply With Quote
  #5   (View Single Post)  
Old 7th March 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by paran0iaX View Post
So tunnelling is out of the question as I don't know anyone I can trust with the personal information I need to be transmitting online (logging into bank account, e-mail, etc.)
In general, on-line banking should be done over wired connections unless you have full control of the wireless configuration.
Reply With Quote
  #6   (View Single Post)  
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ocicat View Post
Perhaps you need to further describe how you envision "encryption". Yes, OpenBSD can encrypt network traffic, but fundamentally you need control over both end-points. If you do, then you could look into some form or VPN or IPSec connection.

Note however, that OpenBSD does not have a monopoly over these technologies. Other operating systems offer them as well to varying degrees.
Encryption in a way so that other users that are within the same network as I am cannot just steal information I'm sending to the router. As far as login credentials and the such go, there is the https encryption on the other end so I guess that's that. My main concern are the other people on the network that I'm on.
Reply With Quote
  #7   (View Single Post)  
Old 7th March 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Unfortunately what you want likely isn't possible.. there is no special way that OpenBSD can encrypt traffic going to the router without the cooperation of the colleges network administrators.
Reply With Quote
  #8   (View Single Post)  
Old 7th March 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by paran0iaX View Post
Encryption in a way so that other users that are within the same network as I am cannot just steal information I'm sending to the router.
Yes, encryption can thwart the reprobates, but the problem is that the encrypted packets eventually have to be decrypted at the intended destination. Unless you have a tunnel or configure a secured IPSec connection, the intended recipient(s) will simply see garbage. This is why control (at least coordinated...) at both ends is necessary.
Reply With Quote
  #9   (View Single Post)  
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

So would you guys safely say that getting my own internet connection would be the best solution in my case?
Reply With Quote
Old 7th March 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by paran0iaX View Post
So would you guys safely say that getting my own internet connection would be the best solution in my case?
It would be better.

As voiced before, my biggest concern over the situation you have described is doing online banking over a wireless connection. In most cases, we over-exaggerate the importance of email unless transactional information & passwords are being exchanged. This assumes you aren't involved in gray to clandestine activities.

Reply With Quote
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

Thanks. I usually prefer a wired connection anyway, especially because of the connection speed. If I get my own internet, I will of course use wired connections for everything.
Reply With Quote
Old 7th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

You mentioned HTTPS protocol, paran0iaX. This uses SSL or TLS for encryption, and can be used with an unauthenticated browser -- and is most commonly used that way. SSL or TLS use a blend of random numbers and certificates for managing authentication and keys, and certification authorities to manage trust -- the latter limits (but does not eliminate) man-in-the-middle attack vectors.

Of course, in order to use HTTPS, both the browser and the server need to use it; most popular browsers do, of course, but webservers must be configured to do so in order for you to use it.

The encryption is limited to the content of the packets, not the packet headers ... so someone scanning the traffic will still see the IP addresses and port numbers of both end-points. This means that someone scanning your traffic will know that you (or someone in your dorm room) is downloading porn from a particular site. Even when using HTTPS, any unencrypted URLs on a protected page (such as embedded images) will not be encrypted and will be sent in the clear -- client browsers can pop up a warning, but many people disable the warning the first time it happens, and never know about it when it happens again.

HTTPS is not useful for general websurfing, and is of no help hiding you from the RIAA or MPAA when using bittorrent, either.
Reply With Quote
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

What would you suggest for general websurfing? Especially since not all websites enable https
Reply With Quote
Old 7th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

You're missing the point, which both ocicat and bsdfan666 made -- if you want to have any traffic encrypted, well, that takes two entities, one at each end: an encrypter, and a decrypter.

You have only one "end point". It takes two to tango.

There are anonymizing services, of course. For one example, google for "tor"
Reply With Quote
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

I've actually used Tor before, but I stopped mainly because it was so slow. Like, sometimes it would connect to a server in Germany when I start it up, and it would take about 3-5 minutes to load Google. Then I have to click "Google in English" because the Google homepage is in German, and it takes another couple minutes to load the English version of the website. Not to mention websites with actual content that take really long to load (like video streaming sites like YouTube, for example).
Reply With Quote
Old 7th March 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by paran0iaX View Post
I've actually used Tor before, but I stopped mainly because it was so slow. Like, sometimes it would connect to a server in Germany when I start it up, and it would take about 3-5 minutes to load Google. Then I have to click "Google in English" because the Google homepage is in German, and it takes another couple minutes to load the English version of the website. Not to mention websites with actual content that take really long to load (like video streaming sites like YouTube, for example).
Then you have a decision to make, do you want false sense of security or speed?

As has been indicated countless times already, what you want requires some additional setup.. it also adds some protocol overhead, encryption isn't cheap.

Do you work for the government? is what you do classified? probably not.. but we don't know you.
Reply With Quote
Old 7th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
...countless times...
only 5.
Quote:
...is what you do classified?...
Typically, governments 'round the world have regulations that describe clearly what must be done with their information, depending on its classification. I'll bet "school dormitory" doesn't appear in any of the regs.
Reply With Quote
Old 7th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

I'm just concerned about my privacy

Like, anyone can look through my underwear drawer if they want, since I have nothing to hide, but still, it's something I'd like to keep private anyway. Just stuff like that.
Reply With Quote
Old 7th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Then obtain a server (or a friend with a server) outside of your school's network, and encrypt your communication through it. A commercial server (or virtual machine) may be cheaper then a private ISP connection.

But you still must trust the remote server, and its network(s).

There's lots of choices of traffic encryption technologies. What to choose will depend on your network applications and your network topology. But, without a system external to your untrusted-network, its academic.

Regarding topology, your network traffic rules may disallow any or all of these:
  • An IPSec-based VPN can efficiently encrypt all traffic.
  • An OpenVPN-based VPN can encrypt all traffic via UDP (or TCP) between end points
  • An SSH-based VPN can tunnel all traffic via TCP between end points
  • An SSH-based SOCKS proxy can tunnel all HTTP/HTTPS traffic between end points
These all have the same effect, with varying amounts of efficiency, ease of use, and capability. Traffic from your system(s) is encrypted and is sent to a remote end-point, which decrypts it and relays it to the final destination. Traffic to your system(s) is encrypted at the remote end-point, and gets sent to you for decryption and final disposition.
Reply With Quote
Old 8th March 2009
paran0iaX paran0iaX is offline
Port Guard
 
Join Date: Mar 2009
Posts: 16
Thanked 0 Times in 0 Posts
Default

Would you happen to have any good, secure, reliable VPS you can recommend?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DSL Router Zvrk NetBSD General 1 18th June 2009 01:21 PM
Good router terryd General software and network 10 9th February 2009 09:31 PM
D-link (DI-524) router c0mrade General software and network 3 26th January 2009 08:14 AM
Router shopping Yuka General Hardware 8 23rd July 2008 02:51 AM
Router for external IP's bichumo General software and network 11 22nd July 2008 03:07 AM


All times are GMT. The time now is 09:28 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick