Re: [fw-wiz] home net security (was Re: 802.11b and IPSec)
From: Paul Robertson (proberts_at_patriot.net)
To: Bennett Todd <email@example.com> Date: Sun, 15 Jun 2003 08:46:06 -0400 (EDT)
On Tue, 10 Jun 2003, Bennett Todd wrote:
> I don't know the answer to the question you ask. If I wanted to hunt
I got lots of answers, I'll write up a summary in the next week or so...
> If you don't mind, though, I think it'd be valuable to expand the
> discussion to a more general analysis of security for home nets.
I think that's valuable...
> Now obviously a home net can be anything. There are undoubtedly
> maniacs who have beowlf clusters doing hotly proprietary financial
> modelling or whatever, with Special Needs. But they aren't typical.
I think that much, much worse is the user who doesn't know what the value
of data on their home network is- or who underestimates it. Heck, the CIA
had a Director who took classified home to his PC, the rest of us have
much less strict enviornments, and have to deal with the outcome..
> Let's fantasize that the typical home net has 802.11b; it has one
> or more workstations on it, which being pure clients are easy to
> harden (hardening hosts is only hard when you need to offer network
> services from those hosts).
I'm not sure that assumption is valid, many home networks have 2 or 3
clients on them- some of which may be doing things like serving music
files, participating in P2P networks, etc. In a typical home environment,
it's only easy to enforce a security policy if there's one person using
the machines, or one predominately computer-literate person, otherwise,
it's as political and bad as any other network, maybe worse...
> As I see it, the one hard-to-address aspect of home net security is
> preventing drive-by wireless users from committing offenses on the
> internet through your access.
That's one of the three main reasons I want to enforce IPSec on the WLAN
side of things...
> While it's weak protection, I think wiring down the DHCP with an
> enumerated list of MAC addrs is decent protection. Not perfect, of
> course, but it'll cut out casual drive-bys, and improve the odds
> that you at least notice even when a clever one tries to do bad. And
> it's awfully easy to do.
If I were going that route, I'd go with one of those Internet cafe-style
authenticating gateways... However, in this case, I'm (being pretty
picky) not really enthused about putting up another 300W power supply
full-time (when the quad processor dual 800W PSU AlphaServer is online, my
electricity bill goes way up- but at least it heats the house in the
> Enabling WEP would also add a modest little increment of hassle to a
> drive-by, but given the utter lack of key management in 802.11b WEP
> I'll give that a miss.
The second thing I'm worried about (not overly, but I think it's a valid
risk) is a determined neighbor, which would mean LEAP or something to get
around the key issues. A neighbor could literally take years to probe,
potentially even from hosts on yet-another neighbor's network (I can see 2
unesecured, default SSID'd WLANs from my house.)
The final thing I'm concerned about is the Access Point itself. After the
early SNMP issues, and because I'm not all that enamoured with what I've
seen in "appliance" devices recently, I'm just not happy exposing a WAP
without enforcing IPSec. I was seriously considering re-flashing a DELL
AP with my own Linux kernel, but I can't imagine the CPU in one of those
would like even a lightweight crypto algorithm.
I don't feel I need 3DES, it *is* a home network after all, and the host
security on anything that has sensative data is fine, but I can't imagine
a 33MHz ARM doing much more than XOR without breaking into a sweat.
Anyway, more about that when I summarize the responses.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
email@example.com Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list