I'm redesigning my home network.

[Howell]

OK, security gurus. I'm redesigning my home network. I will want a firewall, a wireless segment, a dial-up segment, a DMZ and an inside segment. My main concern is about the wireless segment. Except for the switches everything is PC based, most likely Free/OpenBSD.

I’m considering having one box as the firewall and another box just inside the firewall as a Dialup/DMZ router and VPN server. One option is to hang the wireless segment off of the router/VPN server and leave the firewall as simple as possible with only two NICs in it. I would deny all traffic from the wireless segment that was not over the VPN, have static IPs etc. but I’m still concerned about the segment being behind the FW. Maybe the concern is unfounded.

Alternatively, I could have one box that provides all segments. My concern with this is the number of pieces of software and their bug fixes I would have to stay on top of. I plan to keep my software up to date but if a bug is found in the wireless portion I could wait longer to fix it if that software was not facing the outside. Does this sound like a big deal?

I want to treat this as professionally as I can, within my financial means, as I would like to use these concepts later outside the home.

Discuss.

 

[honold]

do it all on one box.

openbsd is not nearly as friendly as freebsd in terms of version upgrades.

buy the oreilly wireless security book.

 

[blakerwry]

i wish i was a security guru....


just wondering, but if you made it so only specific MAC addresses were allowed on your network, how would this compare to using VPN?

can someone still packet sniff if they dont have an IP? I suppose they would be able to...

what are the benefits of using a linux/unix box compared to a dedicated hardware router when doing more advanced things like VPN and firewall rules?

 

[honold]

macs can be spoofed so it's more of a 'deterrent'.

packet sniffing can be done without an ip address, only an ip stack. you set the nic to promiscuous mode (where it actually 'listens' to everything it sees, even stuff not directed to it) and you can dump out from it. for more extremely secure wiretapping situations, you can actually fashion a read-only ethernet cable and do sniffing on an interface with no ip.

usually works like this

LAN - [ HUB ] - INTERNET
| /
SNIFF --

in such configurations you can sniff securely and your sniffing box dying won't cause your connections to puke (because the hub, not the sniffer, is forwarding the packets along). this type of thing is common for stuff like intrusion detection systems - google for 'snort'.

for real use in real environments, hardware-based solutions are better because of management, configuration, and reliability. software solutions are inexpensive and great because they are instructional.

 

[blakerwry]

i know mac's can be spoofed, sometimes very easily.. however, if your network is set to allow only certain MACs to connect, how can somebody tell the MAC of your NIC card?

Is it somewhere in the information your computer is sending/recieving?

I know some protocols, such as netBEUI work via MAC addresses, but TCP/IP works off of IP addresses, does this just get further broken down into MAC level addressing once you get to the last network node?

 

[Dïscfärm]

...I will want a firewall, a wireless segment, a dial-up segment, a DMZ and an inside segment. My main concern is about the wireless segment. Except for the switches everything is PC based, most likely Free/OpenBSD...

DMZ=Isolation Network, I assume...

If you are truly apprehensive about the wireless segment of your home network (¿¿¿are you in a dormitory or an apartment complex???), then the ideal setup will be to have 2 firewalls, with one firewall between the "public" segment of your network (dialup, DSL, etc) and your isolation network and another firewall between your isolation network and your wired Ethernet LAN. The wireless segment will connect to the isolation network (Wireless Access Point). The VPN will have to be able to talk through both firewalls as -- I'm assuming -- VPN connectivity will be done with a non-wireless box (or boxes) on the Ethernet LAN segment.

Do you *really* need wireless network capability?

 

[Howell]

do it all on one box.

Care to elaborate in light of Gary's post and my previously posted apprehention.

 

[Howell]

...I will want a firewall, a wireless segment, a dial-up segment, a DMZ and an inside segment. My main concern is about the wireless segment. Except for the switches everything is PC based, most likely Free/OpenBSD...

DMZ=Isolation Network, I assume...

If you are truly apprehensive about the wireless segment of your home network (¿¿¿are you in a dormitory or an apartment complex???), then the ideal setup will be to have 2 firewalls, with one firewall between the "public" segment of your network (dialup, DSL, etc) and your isolation network and another firewall between your isolation network and your wired Ethernet LAN. The wireless segment will connect to the isolation network (Wireless Access Point). The VPN will have to be able to talk through both firewalls as -- I'm assuming -- VPN connectivity will be done with a non-wireless box (or boxes) on the Ethernet LAN segment.

Do you *really* need wireless network capability?

This project is as much about learning as anything though I do live in an apartment.

Having a wireless segment is not necessary for my general well-being and happiness but it would sure make using the laptop easier. Then there's the aformeantioned learning.

 

[honold]

macs are broadcast via the arp protocol

 

[honold]

i would do it all on one box because i don't see the need for a dmz. just force ipsec on all your wireless traffic.

 

[Cliptin]

i would do it all on one box because i don't see the need for a dmz. just force ipsec on all your wireless traffic.

The DMZ was for an outward facing IMAP server. I'd want to get to it from the inside as well. But I want it to have only limited access to the inside if any.

 

[honold]

you can accomplish all that by running it on the appropriate interface and using a packet filter

 

[Howell]

you can accomplish all that by running it on the appropriate interface and using a packet filter

Er... we are diving to depths I have not yet plumbed. When you say appropriate interface are you suggesting that I do not need a seperate NIC for the DMZ segment or something else?

Is the packet filtering solution part of a standard implementation or something that I will have to implement over and above?

 

[honold]

let's begin this simply:

why do you need a dmz?

 

[Cliptin]

let's begin this simply:

why do you need a dmz?

At first I want a server to serve webmail to me to both inside and outside. However, If the server is ever compromised I do not want said intruder to have any more than minimal access to anything else on the inside.

 

[honold]

if you're that worried about it, the best configuration would probably be to have an internal imap server and a dedicated webmail server.

firewall the webmail server so that its only traffic allowed to the lan is to the imap port of the imap server.

webmail is just web presentation of email - the web and imap servers can be separate.

look at dovecot for an imap server and squirrelmail for webmail.

 

[blakerwry]

I want to setup an IMAP and webmail server as well... I have both currently, but only under winNT... as part of my migration to less computers im planning to retire this winNT server and go to a single server (linux)...

I have used squirell mail, and it's OK... but I was wondering what good servers where available for webmail and IMAP in linux... i want ease of setup and pretty fancyness over security. What can you guys recomend?

 

[honold]

imap-uw is the easiest. enjoy getting hacked.

 

[blakerwry]

I saw a couple vulnerablities for that server, however they only apply to people who already have accounts on your machine... and remote users couldn't do anything that they would not normally be able to do with a shell account.

...I'm not worried about being hacked by people I have already given access to.

 

[Handruin]

Check out Horde/IMP. I have the option of squirrel mail or Horde and I prefer the latter.

 

[honold]

is your imap server going to be accessible via the internet, or just webmail?

if the imap can't be seen on the open net, feel free to use GETHACKEDIMAPD or whatever, because it doesn't matter as long as people can't get to it. imap-uw is literally a one-liner setup (if that, depending on os/packaging)

 

[blakerwry]

Check out Horde/IMP. I have the option of squirrel mail or Horde and I prefer the latter.

oh yeah, I remember horde, i used that a looong time ago... hmm.. have to check it out agin.

 

[Handruin]

Check out Horde/IMP. I have the option of squirrel mail or Horde and I prefer the latter.

oh yeah, I remember horde, i used that a looong time ago... hmm.. have to check it out agin.

I used IMP about two years ago and it has improved much since then.

 

[Mercutio]

Nifty Link, courtesy of google

I couldn't get the actual page to load.
Howell's description of his desired results sounds a lot like what I've got sitting around MY apartment, except my WU imap server isn't accessible to the outside world.

I don't put much effort into keeping my openBSD box up to date, honestly. It just sits in the corner and seems to be doing its job. Every once in awhile I'll see something on slashdot that'll remind me to update. tripwire says nobody has gotten in, and honestly, there's some assmunch on my dialup provider whose code red crap still pounds my poor widdly modems from time to time. I seem to get port scanned a lot, too, often times by my ISP's internal machines... anyway, looking at the logs isn't even that interesting.

Honold, I did pick up the O'Reilly 802.11 security book today. Just skimming so far, but it seems pretty useful.

 

[Platform]

This project is as much about learning as anything though I do live in an apartment.

Having a wireless segment in an apartment complex would certainly justify having the all the available security countermeasures one could afford in place, as we are only just now in the beginning phase of having yahoos roaming around neighbourhoods sniffing for "hot spots." Or as far as that goes, frustrated yahoos roaming around performing Wireless Denial Of Service attacks.


A "DMZ" (isolation network) is useful for connecting public WWW servers, E-mail servers, and the like onto. The first firewall -- between the public segment and the DMZ -- will vastly reduce probing and access attempts by filtering out traffic that doesn't pertain to the network services that your various public servers speak (WWW, SMTP, etc). The second firewall -- between DMZ and LAN segments -- will essentially block all packets that originate from beyond the first firewall. This is classic network topology for anyone running publicly available Internet servers and also needing full access to the Internet on a secured LAN using the same connection to the public Internet.


The wireless segment of your network should be connected to the DMZ, only because you can never really trust it -- simply because it has no physical security.


It would be nice to have a WAP and wireless NIC that had the ability to setup broadcast radius (broadcast power). With a broadcast radius manually set to only 3 or 5 meters, you would not have to worry about someone beyond that spherical distance being able to accurately receive ANY of your network traffic. A "automatic" broadcast system using variable broadcast power could also be devised, where you are required to initiate you networking session with your notebook computer at a distance of 3 meters or less from the WAP. Then, as you started to range beyond 3 meters from the WAP, automatic gain control circuits in both the WAP and wireless NIC would sense decreasing reception and increase transmit power to the next step. A system such as this would keep the broadcast radius to a minimum at all times. Otherwise, you could shield your apartment with aluminum foil. ;^)

 

[Howell]

A system such as this would keep the broadcast radius to a minimum at all times. Otherwise, you could shield your apartment with aluminum foil. ;^)

Thanks for the run-down Gary. Alternatively, I could aluminum-foil-shield the WAP antenna. Maybe 180 degrees and three inches off the antenna.

 \
*|
 /

 

[Howell]

if you're that worried about it, the best configuration would probably be to have an internal imap server and a dedicated webmail server.

firewall the webmail server so that its only traffic allowed to the lan is to the imap port of the imap server.

webmail is just web presentation of email - the web and imap servers can be separate.

look at dovecot for an imap server and squirrelmail for webmail.

Thanks for the help honold.