|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|
|||
My lan is growing, how do I secure it?
I was ok for a long time on my small wired lan I use for my home and home office. Then my wife needed a Windows box and we had to go wireless. I have been concerned because of how bad Windows security track record is on every conceivable exploit and I want to figure out a way to lock down my lan which anyway is growing and also my desires for how I use my systems is changing.
I have a DSL router and all of my lan is cabled to it except for the Windows box that uses wireless. Is there any way I can make a padded cell around either my lan or the Windows box just using my router or do I need to start thinking about setting up an openbsd firewall box? I have crappy rural home internet service with dynamic ipv4 and no external services. In the future I would like to support ssh and maybe a web server or two. Thanks guys!
__________________
BSDForums.org refugee #27 Multibooting with LILO |
|
|||
bump
__________________
BSDForums.org refugee #27 Multibooting with LILO |
|
|||
It's usually considered bad netiquette to bump your own threads.
|
|
|||
Maybe so, but you can't argue with success...
__________________
BSDForums.org refugee #27 Multibooting with LILO |
|
|||
jggimi is a nice guy and decided to give you the benefit of the doubt.
|
|
||||
Quote:
For instance, OpenBSD will never prevent your wife from clicking on a link from a "ScareWare" site trying to sell fake antiVirus software, and downloading some sort of horror. It can, however, prevent her Windows platform from becoming a functioning spambot, by blocking any outbound TCP packet with a destination port #25, for example. But you will have to define what you mean by "security". Quote:
Do you know what these are? Do you have an opinion? Have you implemented any of these (first five) in your environment?
Quote:
In addition, some of these routers offer additional "security features" -- simple packet filtering from a web-based menu. Your router's manual may indicate if this is possible, and what those various filters do. NAT routers can also do what is called "port forwarding" -- the TCP and UDP protocols use four bytes in the protocol headers to describe initiation and destination ports. By provisioning port forwarding, you can define a destination device for certain unsolicited packets, based on the destination port number. Using your examples, that might be TCP packets with a destination port of 22 get routed to a device running sshd(8), or a TCP packet with destination port of 80 gets sent to your webserver. Assuming, of course, that your ISP permits TCP packets destined to port 80 through at all. They may block them, to prevent consumers from running websites on home servers. Last edited by jggimi; 30th June 2011 at 03:19 PM. |
|
|||||||
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
So far I have not had any blatant activity but I used to see some kernel traces from Linux that seemed to me wierd outside addresses somehow tried to get into my Linux boxes. I don't know how that could be or what to look for. Now I have alot more machines around and I would like to consider allowing ssh into my lan and serving static content from apache with ssl but before I do that I would like to understand how to make sure the windows box isn't a gaping hole in the lan. Thanks.
__________________
BSDForums.org refugee #27 Multibooting with LILO Last edited by Randux; 30th June 2011 at 05:04 PM. |
|
||||
Quote:
This seems obvious for wireless networks, but is also quite true of wired networks. At any "hop" along the communication routes, packets may be examined. Unencrypted Email should be considered as secure as a post card. But not just Email, because any traffic from or to your LAN sent in-the-clear should be considered insecure. The risk may be low, since in general, only telecommunications companies and governments have easy access to such traffic ... but keep in mind, packets en-route on the Internet can be diverted along the way, possibly for passive examination, with little technical difficulty, and they have been. See http://cyberarms.wordpress.com/2011/...tire-internet/ and the discussion of what happened to 15% of the world's Internet traffic in April 2010.
This is actively changing selected packets, or introducing new packets, into an existing data communication session, by a 3rd party. This will always be significantly more complex than passive interception. Typically, the MITM is involved at session initiation, and passes changed or new packets only after authentication and authorization has completed.
While this is often how MITM attacks establish themselves, the so called entry vector, spoofed servers are far more common than MITM attacks. Anyone can set up a commonly branded but fake bank website and use it identity theft and account draining scams.
By far the most common problem, and the one you should pay very close attention to. This is where a foothold is gained on a platform inside the network, from outside, and command-and-control is gained. Of all of the beachead vector attacks, the most famous example from last year was Stuxnet, though by the millions, Windows platforms are used as spambots. http://en.wikipedia.org/wiki/Stuxnet Quote:
Of course, if you do that, the Windows platform cannot communicate with services you might eventually want to offer it on the more trusted LAN, such as printers, web, or file servers. Using PF (if OpenBSD were a router), you could limit connections to just those you wish. But the services you permit might provide a vector into your trusted LAN -- it will be dependent on the services you allow, and what kind of vectors they might offer an attacker who has command and control of the Windows platform. If you leave things open between the Windows platform and the rest of your LAN, then "orphan" only after a problem is noticed -- well -- I recall an analogy regarding barn doors and cows, which seems applicable in that situation. Quote:
Quote:
|
|
||||
Quote:
Quote:
Quote:
Quote:
Thanks for taking the time to explain this stuff.
__________________
BSDForums.org refugee #27 Multibooting with LILO |
|
|||
Yeah well he knows me for awhile.
__________________
BSDForums.org refugee #27 Multibooting with LILO |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Encrypted == secure? | passthejoe | OpenBSD Security | 13 | 9th November 2010 05:45 PM |
how to secure my ftp? | milo974 | OpenBSD Security | 3 | 4th August 2009 03:47 PM |
Is this secure? | Ungenious | OpenBSD Security | 4 | 30th November 2008 02:27 AM |
secure ssh with public key | milo974 | OpenBSD Security | 11 | 9th July 2008 04:52 PM |
obsd 4.3 secure ssh use | milo974 | OpenBSD Security | 9 | 3rd July 2008 11:23 AM |