Re: [fw-wiz] home net security (was Re: 802.11b and IPSec)

From: Paul Robertson (proberts_at_patriot.net)
Date: 06/15/03

  • Next message: Cat Okita: "Re: [fw-wiz] VA vs PT tool"
    To: Bennett Todd <bet@rahul.net>
    Date: Sun, 15 Jun 2003 08:46:06 -0400 (EDT)
    
    

    On Tue, 10 Jun 2003, Bennett Todd wrote:

    > I don't know the answer to the question you ask. If I wanted to hunt

    I got lots of answers, I'll write up a summary in the next week or so...

    > If you don't mind, though, I think it'd be valuable to expand the
    > discussion to a more general analysis of security for home nets.

    I think that's valuable...

    > Now obviously a home net can be anything. There are undoubtedly
    > maniacs who have beowlf clusters doing hotly proprietary financial
    > modelling or whatever, with Special Needs. But they aren't typical.

    I think that much, much worse is the user who doesn't know what the value
    of data on their home network is- or who underestimates it. Heck, the CIA
    had a Director who took classified home to his PC, the rest of us have
    much less strict enviornments, and have to deal with the outcome..

    > Let's fantasize that the typical home net has 802.11b; it has one
    > or more workstations on it, which being pure clients are easy to
    > harden (hardening hosts is only hard when you need to offer network
    > services from those hosts).

    I'm not sure that assumption is valid, many home networks have 2 or 3
    clients on them- some of which may be doing things like serving music
    files, participating in P2P networks, etc. In a typical home environment,
    it's only easy to enforce a security policy if there's one person using
    the machines, or one predominately computer-literate person, otherwise,
    it's as political and bad as any other network, maybe worse...

    > As I see it, the one hard-to-address aspect of home net security is
    > preventing drive-by wireless users from committing offenses on the
    > internet through your access.

    That's one of the three main reasons I want to enforce IPSec on the WLAN
    side of things...
     
    > While it's weak protection, I think wiring down the DHCP with an
    > enumerated list of MAC addrs is decent protection. Not perfect, of
    > course, but it'll cut out casual drive-bys, and improve the odds
    > that you at least notice even when a clever one tries to do bad. And
    > it's awfully easy to do.

    If I were going that route, I'd go with one of those Internet cafe-style
    authenticating gateways... However, in this case, I'm (being pretty
    picky) not really enthused about putting up another 300W power supply
    full-time (when the quad processor dual 800W PSU AlphaServer is online, my
    electricity bill goes way up- but at least it heats the house in the
    witer.)

    > Enabling WEP would also add a modest little increment of hassle to a
    > drive-by, but given the utter lack of key management in 802.11b WEP
    > I'll give that a miss.

    The second thing I'm worried about (not overly, but I think it's a valid
    risk) is a determined neighbor, which would mean LEAP or something to get
    around the key issues. A neighbor could literally take years to probe,
    potentially even from hosts on yet-another neighbor's network (I can see 2
    unesecured, default SSID'd WLANs from my house.)

    The final thing I'm concerned about is the Access Point itself. After the
    early SNMP issues, and because I'm not all that enamoured with what I've
    seen in "appliance" devices recently, I'm just not happy exposing a WAP
    without enforcing IPSec. I was seriously considering re-flashing a DELL
    AP with my own Linux kernel, but I can't imagine the CPU in one of those
    would like even a lightweight crypto algorithm.

    I don't feel I need 3DES, it *is* a home network after all, and the host
    security on anything that has sensative data is fine, but I can't imagine
    a 33MHz ARM doing much more than XOR without breaking into a sweat.
    Anyway, more about that when I summarize the responses.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Cat Okita: "Re: [fw-wiz] VA vs PT tool"

    Relevant Pages

    • Re: Heavyweight Network Mapping Tools
      ... multiple threads so as not to adversely effect any individual sub network ... The goals for the OPTE project are slightly ... >> Hosts alive through ICMP ... I was loooking more for the vulnerability scanning approach without ...
      (Pen-Test)
    • Re: Networking is Messed Up
      ... Both our office network and my home network are simple "workgroups", ... Use a proxy server for your LAN. ... You may have winsock problem, WinSock is damaged or corrupt after disconnect ...
      (microsoft.public.windowsxp.network_web)
    • Re: Networking is Messed Up
      ... DNS servers in the Local Connection IP Settings and the wireless disabled so ... Both our office network and my home network are simple "workgroups", ... Use a proxy server for your LAN. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Networking is Messed Up
      ... DNS servers in the Local Connection IP Settings and the wireless disabled so ... Both our office network and my home network are simple "workgroups", ... Use a proxy server for your LAN. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Scanning Class A network
      ... > within the network to identify hosts and ports exposed to the ... ICMP was not allowed in the network ... ports for all IPs. ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)