Re: home net security (was Re: 802.11b and IPSec)

[Paul Robertson <proberts () patriot net>]

On Tue, 10 Jun 2003, Bennett Todd wrote:

> I don't know the answer to the question you ask. If I wanted to hunt

I got lots of answers, I'll write up a summary in the next week or so...

> If you don't mind, though, I think it'd be valuable to expand the
> discussion to a more general analysis of security for home nets.

I think that's valuable...

> Now obviously a home net can be anything. There are undoubtedly
> maniacs who have beowlf clusters doing hotly proprietary financial
> modelling or whatever, with Special Needs. But they aren't typical.

I think that much, much worse is the user who doesn't know what the value 
of data on their home network is- or who underestimates it.  Heck, the CIA 
had a Director who took classified home to his PC, the rest of us have 
much less strict enviornments, and have to deal with the outcome..

> Let's fantasize that the typical home net has 802.11b; it has one
> or more workstations on it, which being pure clients are easy to
> harden (hardening hosts is only hard when you need to offer network
> services from those hosts).

I'm not sure that assumption is valid, many home networks have 2 or 3 
clients on them- some of which may be doing things like serving music 
files, participating in P2P networks, etc.  In a typical home environment, 
it's only easy to enforce a security policy if there's one person using 
the machines, or one predominately computer-literate person, otherwise, 
it's as political and bad as any other network, maybe worse...

> As I see it, the one hard-to-address aspect of home net security is
> preventing drive-by wireless users from committing offenses on the
> internet through your access.

That's one of the three main reasons I want to enforce IPSec on the WLAN 
side of things...
 
> While it's weak protection, I think wiring down the DHCP with an
> enumerated list of MAC addrs is decent protection. Not perfect, of
> course, but it'll cut out casual drive-bys, and improve the odds
> that you at least notice even when a clever one tries to do bad. And
> it's awfully easy to do.

If I were going that route, I'd go with one of those Internet cafe-style 
authenticating gateways...  However, in this case, I'm (being pretty 
picky) not really enthused about putting up another 300W power supply 
full-time (when the quad processor dual 800W PSU AlphaServer is online, my 
electricity bill goes way up- but at least it heats the house in the 
witer.)

> Enabling WEP would also add a modest little increment of hassle to a
> drive-by, but given the utter lack of key management in 802.11b WEP
> I'll give that a miss.

The second thing I'm worried about (not overly, but I think it's a valid 
risk) is a determined neighbor, which would mean LEAP or something to get 
around the key issues.  A neighbor could literally take years to probe, 
potentially even from hosts on yet-another neighbor's network (I can see 2 
unesecured, default SSID'd WLANs from my house.)

The final thing I'm concerned about is the Access Point itself.  After the 
early SNMP issues, and because I'm not all that enamoured with what I've 
seen in "appliance" devices recently, I'm just not happy exposing a WAP 
without enforcing IPSec.  I was seriously considering re-flashing a DELL 
AP with my own Linux kernel, but I can't imagine the CPU in one of those 
would like even a lightweight crypto algorithm.

I don't feel I need 3DES, it *is* a home network after all, and the host 
security on anything that has sensative data is fine, but I can't imagine 
a 33MHz ARM doing much more than XOR without breaking into a sweat.  
Anyway, more about that when I summarize the responses.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards