Firewall Wizards mailing list archives
Re: home net security (was Re: 802.11b and IPSec)
From: Paul Robertson <proberts () patriot net>
Date: Sun, 15 Jun 2003 08:46:06 -0400 (EDT)
On Tue, 10 Jun 2003, Bennett Todd wrote:
I don't know the answer to the question you ask. If I wanted to hunt
I got lots of answers, I'll write up a summary in the next week or so...
If you don't mind, though, I think it'd be valuable to expand the discussion to a more general analysis of security for home nets.
I think that's valuable...
Now obviously a home net can be anything. There are undoubtedly maniacs who have beowlf clusters doing hotly proprietary financial modelling or whatever, with Special Needs. But they aren't typical.
I think that much, much worse is the user who doesn't know what the value of data on their home network is- or who underestimates it. Heck, the CIA had a Director who took classified home to his PC, the rest of us have much less strict enviornments, and have to deal with the outcome..
Let's fantasize that the typical home net has 802.11b; it has one or more workstations on it, which being pure clients are easy to harden (hardening hosts is only hard when you need to offer network services from those hosts).
I'm not sure that assumption is valid, many home networks have 2 or 3 clients on them- some of which may be doing things like serving music files, participating in P2P networks, etc. In a typical home environment, it's only easy to enforce a security policy if there's one person using the machines, or one predominately computer-literate person, otherwise, it's as political and bad as any other network, maybe worse...
As I see it, the one hard-to-address aspect of home net security is preventing drive-by wireless users from committing offenses on the internet through your access.
That's one of the three main reasons I want to enforce IPSec on the WLAN side of things...
While it's weak protection, I think wiring down the DHCP with an enumerated list of MAC addrs is decent protection. Not perfect, of course, but it'll cut out casual drive-bys, and improve the odds that you at least notice even when a clever one tries to do bad. And it's awfully easy to do.
If I were going that route, I'd go with one of those Internet cafe-style authenticating gateways... However, in this case, I'm (being pretty picky) not really enthused about putting up another 300W power supply full-time (when the quad processor dual 800W PSU AlphaServer is online, my electricity bill goes way up- but at least it heats the house in the witer.)
Enabling WEP would also add a modest little increment of hassle to a drive-by, but given the utter lack of key management in 802.11b WEP I'll give that a miss.
The second thing I'm worried about (not overly, but I think it's a valid risk) is a determined neighbor, which would mean LEAP or something to get around the key issues. A neighbor could literally take years to probe, potentially even from hosts on yet-another neighbor's network (I can see 2 unesecured, default SSID'd WLANs from my house.) The final thing I'm concerned about is the Access Point itself. After the early SNMP issues, and because I'm not all that enamoured with what I've seen in "appliance" devices recently, I'm just not happy exposing a WAP without enforcing IPSec. I was seriously considering re-flashing a DELL AP with my own Linux kernel, but I can't imagine the CPU in one of those would like even a lightweight crypto algorithm. I don't feel I need 3DES, it *is* a home network after all, and the host security on anything that has sensative data is fine, but I can't imagine a 33MHz ARM doing much more than XOR without breaking into a sweat. Anyway, more about that when I summarize the responses. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- 802.11b and IPSec Paul Robertson (Jun 09)
- home net security (was Re: 802.11b and IPSec) Bennett Todd (Jun 10)
- Re: home net security (was Re: 802.11b and IPSec) Paul Robertson (Jun 15)
- home net security (was Re: 802.11b and IPSec) Bennett Todd (Jun 10)