DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Question My lan is growing, how do I secure it?

I was ok for a long time on my small wired lan I use for my home and home office. Then my wife needed a Windows box and we had to go wireless. I have been concerned because of how bad Windows security track record is on every conceivable exploit and I want to figure out a way to lock down my lan which anyway is growing and also my desires for how I use my systems is changing.

I have a DSL router and all of my lan is cabled to it except for the Windows box that uses wireless. Is there any way I can make a padded cell around either my lan or the Windows box just using my router or do I need to start thinking about setting up an openbsd firewall box?

I have crappy rural home internet service with dynamic ipv4 and no external services. In the future I would like to support ssh and maybe a web server or two.

Thanks guys!
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote
  #2   (View Single Post)  
Old 30th June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

bump
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote
  #3   (View Single Post)  
Old 30th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

It's usually considered bad netiquette to bump your own threads.
Reply With Quote
  #4   (View Single Post)  
Old 30th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Randux View Post
...I have been concerned because of how bad Windows security track record is on every conceivable exploit and I want to figure out a way to lock down my lan...
You will have to provide a narrower definition than "secure" -- without context, this is a relatively meaningless term. Most of the "exploits" you are concerned with attack Windows users through social engineering, and cannot be prevented by "locking down" (whatever that may mean) your local area network.

For instance, OpenBSD will never prevent your wife from clicking on a link from a "ScareWare" site trying to sell fake antiVirus software, and downloading some sort of horror. It can, however, prevent her Windows platform from becoming a functioning spambot, by blocking any outbound TCP packet with a destination port #25, for example. But you will have to define what you mean by "security".
Quote:
I have a DSL router and all of my lan is cabled to it except for the Windows box that uses wireless. Is there any way I can make a padded cell around either my lan or the Windows box just using my router or do I need to start thinking about setting up an openbsd firewall box?
You will need to start by clearly defining your requirements. For example: what "security" do you have in place on the wireless subset of your local area network? The first five of these wireless "security" arrangements are possible with an inexpensive, consumer-grade router that you might have installed yourself, or been supplied by your DSL service provider. Items 6 and above will require something beyond that equipment and OpenBSD might certainly be a piece of the infrastructure. It may not be obvious, but some of these technologies I mention are considered to be better than others. In some cases there is general agreement, in others, disagreement as to their value.

Do you know what these are? Do you have an opinion? Have you implemented any of these (first five) in your environment?
  1. MAC filtering
  2. WEP encryption, 40-bit
  3. WEP encryption, 128-bit
  4. WPA encryption, with private shared keys
  5. WPA2 encryption, with private shared keys
  6. WPA2 encryption, with certificates
  7. OpenVPN
  8. IPSec
  9. AuthPF
The wireless section of your LAN is only one component. What about the rest of your environment? What I know:
Quote:
I have crappy rural home internet service with dynamic ipv4 and no external services. In the future I would like to support ssh and maybe a web server or two.
I will assume that you are using a single IP address on the Internet, with a private subnet (such as 192.168.x.x) using Network Address Translation (NAT). The default "security" provided by these devices is NAT itself. It prevents unsolicited packets from being forwarded by the router to a device behind it. NAT routers keep "state tables" for traffic initiated by devices on the local side, in order to forward response packets to the correct device. If they don't have an established state for an incoming packet, they reject or ignore it.

In addition, some of these routers offer additional "security features" -- simple packet filtering from a web-based menu. Your router's manual may indicate if this is possible, and what those various filters do.

NAT routers can also do what is called "port forwarding" -- the TCP and UDP protocols use four bytes in the protocol headers to describe initiation and destination ports. By provisioning port forwarding, you can define a destination device for certain unsolicited packets, based on the destination port number. Using your examples, that might be TCP packets with a destination port of 22 get routed to a device running sshd(8), or a TCP packet with destination port of 80 gets sent to your webserver. Assuming, of course, that your ISP permits TCP packets destined to port 80 through at all. They may block them, to prevent consumers from running websites on home servers.

Last edited by jggimi; 30th June 2011 at 03:19 PM.
Reply With Quote
  #5   (View Single Post)  
Old 30th June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

Quote:
Originally Posted by jggimi View Post
You will have to provide a narrower definition than "secure" -- without context, this is a relatively meaningless term.
Secure to me is pretty simple because I mean if something can break in, my lan is insecure, if they can't it's secure.

Quote:
Originally Posted by jggimi View Post
Most of the "exploits" you are concerned with attack Windows users through social engineering, and cannot be prevented by "locking down" (whatever that may mean) your local area network.
Fair enough, and I don't care what happens to that box, I just consider it a weak point into my lan so I want to figure out how to orphan it if that is possible. That's why I said I want to make a padded cell either around the windows box or my lan, if possible.

Quote:
Originally Posted by jggimi View Post
For instance, OpenBSD will never prevent your wife from clicking on a link from a "ScareWare" site trying to sell fake antiVirus software, and downloading some sort of horror. It can, however, prevent her Windows platform from becoming a functioning spambot, by blocking any outbound TCP packet with a destination port #25, for example.
I installed and setup kerio on her box which is what I do on all windows boxes I have anything to do with, and I look at spybot once in awhile. I tell her not to answer popups from kerio, so we should get notified if anything funny happens.

Quote:
Originally Posted by jggimi View Post
But you will have to define what you mean by "security".You will need to start by clearly defining your requirements. For example: what "security" do you have in place on the wireless subset of your local area network? The first five of these wireless "security" arrangements are possible with an inexpensive, consumer-grade router that you might have installed yourself, or been supplied by your DSL service provider. Items 6 and above will require something beyond that equipment and OpenBSD might certainly be a piece of the infrastructure. It may not be obvious, but some of these technologies I mention are considered to be better than others. In some cases there is general agreement, in others, disagreement as to their value.

Do you know what these are? Do you have an opinion? Have you implemented any of these (first five) in your environment?
  1. MAC filtering
  2. WEP encryption, 40-bit
  3. WEP encryption, 128-bit
  4. WPA encryption, with private shared keys
  5. WPA2 encryption, with private shared keys
  6. WPA2 encryption, with certificates
  7. OpenVPN
  8. IPSec
  9. AuthPF
I use MAC filtering, a limit to number of connected devices (just what we are expected to have online) and WPA2 PSK-AES. Keys are refreshed about monthly. She doesn't access services on my lan so I could rope that box off without upsetting anybody if I knew how to do it.

Quote:
Originally Posted by jggimi View Post
The wireless section of your LAN is only one component. What about the rest of your environment? What I know:I will assume that you are using a single IP address on the Internet, with a private subnet (such as 192.168.x.x) using Network Address Translation (NAT). The default "security" provided by these devices is NAT itself. It prevents unsolicited packets from being forwarded by the router to a device behind it. NAT routers keep "state tables" for traffic initiated by devices on the local side, in order to forward response packets to the correct device. If they don't have an established state for an incoming packet, they reject or ignore it.
Yes, thanks. That is about all I know. It's after that I need help.

Quote:
Originally Posted by jggimi View Post
In addition, some of these routers offer additional "security features" -- simple packet filtering from a web-based menu. Your router's manual may indicate if this is possible, and what those various filters do.
My router is made in a third world country, is non standard and has no doc. The "English" on the menus is not exactly helpful. The router itself seems to have plenty of features but since I'm not knowledgeable in comm issues I don't understand most of them. I understood enough to setup wpa2, connection limits for DHCP leases, and mac filtering, but not much more than that.

Quote:
Originally Posted by jggimi View Post
NAT routers can also do what is called "port forwarding" -- the TCP and UDP protocols use four bytes in the protocol headers to describe initiation and destination ports. By provisioning port forwarding, you can define a destination device for certain unsolicited packets, based on the destination port number. Using your examples, that might be TCP packets with a destination port of 22 get routed to a device running sshd(8), or a TCP packet with destination port of 80 gets sent to your webserver. Assuming, of course, that your ISP permits TCP packets destined to port 80 through at all. They may block them, to prevent consumers from running websites on home servers.
Thanks yes I understood that part too and until now have not wanted to access my lan from outside. Really I prefer a wired setup for security reasons and again only put on the wireless because of the windows box that has no other way to get to the internet.

So far I have not had any blatant activity but I used to see some kernel traces from Linux that seemed to me wierd outside addresses somehow tried to get into my Linux boxes. I don't know how that could be or what to look for. Now I have alot more machines around and I would like to consider allowing ssh into my lan and serving static content from apache with ssl but before I do that I would like to understand how to make sure the windows box isn't a gaping hole in the lan. Thanks.
__________________
BSDForums.org refugee #27
Multibooting with LILO

Last edited by Randux; 30th June 2011 at 05:04 PM.
Reply With Quote
  #6   (View Single Post)  
Old 30th June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

Quote:
Originally Posted by BSDfan666 View Post
It's usually considered bad netiquette to bump your own threads.
Maybe so, but you can't argue with success...
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote
  #7   (View Single Post)  
Old 30th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Randux View Post
Secure to me is pretty simple because I mean if something can break in, my lan is insecure, if they can't it's secure.
Intrusions might occur many different ways. Some examples of ways information can be obtained, or changed.... on your network, with or without OpenBSD in the mix:
  • Passive capture of packets sent in-the-clear
This seems obvious for wireless networks, but is also quite true of wired networks. At any "hop" along the communication routes, packets may be examined. Unencrypted Email should be considered as secure as a post card. But not just Email, because any traffic from or to your LAN sent in-the-clear should be considered insecure. The risk may be low, since in general, only telecommunications companies and governments have easy access to such traffic ... but keep in mind, packets en-route on the Internet can be diverted along the way, possibly for passive examination, with little technical difficulty, and they have been. See http://cyberarms.wordpress.com/2011/...tire-internet/ and the discussion of what happened to 15% of the world's Internet traffic in April 2010.
  • Man-in-the-middle (MITM) attacks
This is actively changing selected packets, or introducing new packets, into an existing data communication session, by a 3rd party. This will always be significantly more complex than passive interception. Typically, the MITM is involved at session initiation, and passes changed or new packets only after authentication and authorization has completed.
  • Spoofed end-point
While this is often how MITM attacks establish themselves, the so called entry vector, spoofed servers are far more common than MITM attacks. Anyone can set up a commonly branded but fake bank website and use it identity theft and account draining scams.

There are many variations to spoofing servers, from the simple social engineering links in spam with disguised URLs to something as complex as "DNS Spoofing" -- this latter provides the IP address of the bad guys' Evil Site when the domain name request was for the user's Good Site.
  • Beachhead
By far the most common problem, and the one you should pay very close attention to. This is where a foothold is gained on a platform inside the network, from outside, and command-and-control is gained. Of all of the beachead vector attacks, the most famous example from last year was Stuxnet, though by the millions, Windows platforms are used as spambots. http://en.wikipedia.org/wiki/Stuxnet

Windows platforms are especially susceptible to these. There are many reasons, and not all of them are Microsoft's fault. Remember, though, that Windows is not the only platform on which beachheads can be established. All are susceptible. And yes, even OpenBSD, if an admin makes a provisioning mistake.

Once an Evil program is running on the workstation, any communication it initiates will be seen by the NAT router as normal traffic, and the router will permit 2-way communication. Anything that workstation has access to at that point is available to the intruder. Not just information on that workstation, but on any reachable network. Including the rest of your LAN.
Quote:
...I want to figure out how to orphan it if that is possible.
What do you mean be "orphan"? You could put your Windows platform on its own isolated subnet, so that it lives in its own DMZ, and cannot route packets to your valued, trusted subnet. To do this, you would need to replace your little router with something more capable (such as OpenBSD), or add an additional router (such as OpenBSD) just for the Windows platform. You would architect separate physical networks, with no valid routes between them.

Of course, if you do that, the Windows platform cannot communicate with services you might eventually want to offer it on the more trusted LAN, such as printers, web, or file servers. Using PF (if OpenBSD were a router), you could limit connections to just those you wish. But the services you permit might provide a vector into your trusted LAN -- it will be dependent on the services you allow, and what kind of vectors they might offer an attacker who has command and control of the Windows platform.

If you leave things open between the Windows platform and the rest of your LAN, then "orphan" only after a problem is noticed -- well -- I recall an analogy regarding barn doors and cows, which seems applicable in that situation.
Quote:
I use MAC filtering, a limit to number of connected devices (just what we are expected to have online) and WPA2 PSK-AES. Keys are refreshed about monthly.
WPA2 is the current common "state of the art" for built-in WiFi encryption. (If MAC filtering were all you were using, that would only keep out the uninterested. In this case, I don't perceive it adds any value.)
Quote:
So far I have not had any blatant activity but I used to see some kernel traces from Linux that seemed to me wierd outside addresses somehow tried to get into my Linux boxes. I don't know how that could be or what to look for.
Do you mean network traces? Kernel traces examine process and system calls from applications, not network traffic. In any case, with a NAT router in front of those Linux boxes, you would expect incoming traffic through the router only for established sessions, initiated by the associated Linux box.
Reply With Quote
  #8   (View Single Post)  
Old 30th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by Randux View Post
Maybe so, but you can't argue with success...
jggimi is a nice guy and decided to give you the benefit of the doubt.
Reply With Quote
  #9   (View Single Post)  
Old 30th June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

Yeah well he knows me for awhile.
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote
Old 30th June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

Quote:
Originally Posted by jggimi View Post
What do you mean be "orphan"? You could put your Windows platform on its own isolated subnet, so that it lives in its own DMZ, and cannot route packets to your valued, trusted subnet. To do this, you would need to replace your little router with something more capable (such as OpenBSD), or add an additional router (such as OpenBSD) just for the Windows platform. You would architect separate physical networks, with no valid routes between them.
Ah now we're getting somewhere. Yes, I would like to learn more about subnets and managing them. I don't know what DMZ is either, but I would like to keep the windows box off my lan in the sense that is as untrusted as anything else outside the lan. I have some books on PF but I don't know the basic concepts to where those books are helpful yet. Do you have any recommendations on "executive concepts" reading where I can get enough info to be conversant and at least know what I want to do and how to ask questions about it even if I don't understand how those things happen? I have a day job and a family and I can't learn to be a real network admin but I would like to know enough focused information to secure and manage my own little network.

Quote:
Originally Posted by jggimi View Post
Of course, if you do that, the Windows platform cannot communicate with services you might eventually want to offer it on the more trusted LAN, such as printers, web, or file servers. Using PF (if OpenBSD were a router), you could limit connections to just those you wish. But the services you permit might provide a vector into your trusted LAN -- it will be dependent on the services you allow, and what kind of vectors they might offer an attacker who has command and control of the Windows platform.
I realize that and at this point having the windows box totally off my lan is fine. The only reason it's there is because it has to get to the internet and I have only one crappy connection.

Quote:
Originally Posted by jggimi View Post
Do you mean network traces? Kernel traces examine process and system calls from applications, not network traffic.
I used the wrong terminology, in the past I noticed log messages with "kernel" on them and some outside ip addr I didn't recognize. If I have any in my syslog I'll post them later.

Quote:
Originally Posted by jggimi View Post
In any case, with a NAT router in front of those Linux boxes, you would expect incoming traffic through the router only for established sessions, initiated by the associated Linux box.
Yes, that's why I didn't like the looks of those messages.

Thanks for taking the time to explain this stuff.
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypted == secure? passthejoe OpenBSD Security 13 9th November 2010 05:45 PM
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
secure ssh with public key milo974 OpenBSD Security 11 9th July 2008 04:52 PM
obsd 4.3 secure ssh use milo974 OpenBSD Security 9 3rd July 2008 11:23 AM


All times are GMT. The time now is 06:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick