Tip of the Day - Home Wireless Gateways
Today's tip focuses on small office/home office (SOHO) wireless routers. As most of our readers probably know, I teach SANS Security Essentials (SEC 401) about five times a year at the large SANS conferences. We always get into a sidebar discussion at some point about how to safely configure your home wireless router or gateway. So I thought that the ideas we've come up with over the past few years would be good for discussion here.
I'll use my home system as an example. After all, practice what you preach, right? :)
I am on a cable modem system and also have access to a fiber optic service provided by the local telco. To simplify things, let's just assume that I have one ISP. Dual-homing in your house tends to upset the residential ISPs so therefore let's don't go down that road today. I am in a "normal" suburban neighborhood, average sized wood frame house, two levels above ground plus a basement, garage, porch, etc. Nothing fancy but perfect for building a home network.
In a "typical" setup the cable modem connects to a SOHO wireless router. Wired and wireless hosts are behind the SOHO router and get their IP addresses, DNS settings, etc. from the router via DHCP. Being the geek that I am, there are two SOHO routers in my basement, one wired (connected to the cable modem) and one wireless (connected to the wired router.) By using two devices I can create a separately numbered wireless LAN. Also, I have an old two-port router that connects to the wired SOHO router, and behind that old router is my test network on its own subnet. My IP subnetting looks like this:
68.x.y.z - wired SOHO router, low (WAN) side
192.168.1.1 - wired SOHO router, high (LAN) side
192.168.1.11..15 - DHCP assigned wired hosts
192.168.1.200 - printer
192.168.1.2 - old two port router, low side
192.168.2.1 - old two port router, high side
192.168.2.21..25 - test computers with fixed IP addresses
192.168.1.3 - wireless SOHO router, low side
192.168.3.1 - wireless SOHO router, wireless side
192.168.3.31..35 - DHCP assigned wireless hosts
By using discipline in subnetting I have a much easier time troubleshooting problems, plus I've created a few "layers of defense" in my home network. On the wireless SOHO router, I do the following for wireless protection:
- Turn off SSID broadcast
- Use MAC address filtering
- Turn on 128-bit WEP
- Keep the router at or below ground level
- Limit the number of DHCP licenses to only what I need
- Change the default frequency (channel) to one that is not used by my neighbors
Why put the wireless SOHO router below ground? Well, wireless signals are at 2.4GHz if you are using 802.11b/g service and at that frequency they don't travel very well through dirt. So if the router is below ground, the signal is fine inside the house, but drops off significantly more than a few feet away outside the house. This is yet another "layer" since it makes war driving from the curb very difficult with standard antennas.
One other item for home users. If you have one of the popular SOHO routers (Linksys, Netgear, DLink, etc.) the odds are good that they can create logs for the DShield service. See the how-to page over at DShield for instructions. I use the wired SOHO router to create my logs, from the router they go to a desktop computer with a fixed IP address, then that computer submits them to DShield once an hour. By logging into DShield I can see graphically what is coming at my home network based on what the SOHO router is logging. Very cool!
Have you got any other useful tips for home or small office wireless routers? If so, send them to us via the contact page and we'll post additional ideas here.
UPDATES
Chris suggests:
- Change the SSID to something other than what the manufacturer provided
- Make sure that you also change the default password(s) on the router
- Use WPA or WPA2 if available (I know that WEP is "crackable" but you've got to have a lot of packets to do that. Most home networks are not that noisy so you force an attacker to use additional tools to create traffic. Remember the idea here is to use whatever the best tool is that you have, WEP is better than nothing, WPA is better than WEP and WPA2 is better than WPA. TKIP gives you bonus points.)
Pedro pointed us to a nice URL:
- Wireless LAN Security Guide
Ned expanded on the DHCP limits idea:
- You could use a restrictive subnet mask (eg, 255.255.255.248 if you only need 6 IP addresses) to further limit the number of actual IP addresses available on the subnet to just those needed. Once these have been assigned, a hacker can't connect if there's no more IP addresses available on the subnet, and how many SOHO users actually need the full range of 254 IP addresses normally available by default on a SOHO router.
Andrew sent us these ideas. Some of them may be a stretch for home or small business users, but good ideas to think about:
- Set speed to 802.11g ONLY. Prevents 802.11b clients from connecting and may prevent some injection and replay based attacks that use Atheros based 802.11b cards. This can be done on a Cisco 800 series router using the "speed ofdm-throughput" command in Interface conifiguration mode.
- Utilize egress and ingress ACLs and IP inspection on Cisco wireless routers. Inspection and CBAC (Context Based Access Control) can really help you lockdown what "gets out" from your machines to the Internet. As much as we like cool apps, most of them are really phone-home friendly. Also, only return traffic from internal requests will get back into the network.
- Disable "Ad-Hoc" or "Peer-to-Peer" connections on your wireless card. No need to be able to connect directly with other wireless machines!
- Turn on a host firewall such as Windows Firewall. I personally use Zone Alarm.
- Use SSHv2 to manage the router, if available.
Marcus H. Sachs
Director, SANS Internet Storm Center
MORE UPDATES:
Dr. Neal Krawetz makes some additional useful points (which I've edited very slightly):
I suggest putting the WiFi as the outter wall of the DMZ.
cable modem <-> Wifi <-> DMZ <-> Wired <-> LAN
This way, if your Wifi does happen to get used by someone else, they cannot get into your home computers. This is a good solution if you don't need to access shared drives. (I have rarely come across homes with multiple computers that actually use shares -- most have it enabled but don't use it.) I do allow LPD from the Wifi to the Wired so I can print -- an attacker could waste my paper and toner, but not delete my data.
Regarding antenna placement, I fully agree with you: a basement is best. Choose a corner that is surrounded by dirt. If you don't have a basement, consider placing the Wifi near the front of the house and have a fish tank (or refrigerator) between the Wifi and the street. Your neighbors will see the signal, but war drivers probably will not. Also consider a metal hood (or aluminum-lined shoebox -- either properly grounded) to limit signal propagation. And whatever you do, don't put the Wifi on the 2nd floor if you can help it.
This may sound odd, but 802.11a is sometimes better than 802.11b/g. Since 802.11b/g is more common, running 802.11a is effectively security-by-obscurity. As long as the attacker does not see you, you're safe. [NOTE FROM ED: Please do not inundate us with a tired debate about security through obscurity... we've heard it all, and we've all come to the conclusion that I am right.]
As far as encryption goes, WEP is better than nothing and will deter most wardrivers. If someone wants to crack your WEP then it's because they want "your" network and not just "a" network. WAP, TKIP and other encryption systems are better, but you may not have compatability with all wireless computers. MAC authentication will slow down an attacker, but also isn't bullet proof. Then again, security is a measurement of risk: for most homes, WEP + MAC filtering is more than good enough.
Your other tips, like disabling the SSID broadcast, limiting DHCP hosts, and changing default settings is right on the money. Also, add in: disable Wifi configuration from the Wifi network (if your router has that option), set a non-trivial admin password on the router, and disable ping-from-WAN (good for all routers).
-------
Good stuff. Thanks, Dr. Neal!
---
Ryan Merrick pointed us to this URL, where some configs are described that can let you really mess with the head of someone surruptitiously using your wireless network, flipping their pages, reversing fonts, and blurring things. I don't recommend this, but it is an interesting idea.
--Ed Skoudis
Intelguardians
I'll use my home system as an example. After all, practice what you preach, right? :)
I am on a cable modem system and also have access to a fiber optic service provided by the local telco. To simplify things, let's just assume that I have one ISP. Dual-homing in your house tends to upset the residential ISPs so therefore let's don't go down that road today. I am in a "normal" suburban neighborhood, average sized wood frame house, two levels above ground plus a basement, garage, porch, etc. Nothing fancy but perfect for building a home network.
In a "typical" setup the cable modem connects to a SOHO wireless router. Wired and wireless hosts are behind the SOHO router and get their IP addresses, DNS settings, etc. from the router via DHCP. Being the geek that I am, there are two SOHO routers in my basement, one wired (connected to the cable modem) and one wireless (connected to the wired router.) By using two devices I can create a separately numbered wireless LAN. Also, I have an old two-port router that connects to the wired SOHO router, and behind that old router is my test network on its own subnet. My IP subnetting looks like this:
68.x.y.z - wired SOHO router, low (WAN) side
192.168.1.1 - wired SOHO router, high (LAN) side
192.168.1.11..15 - DHCP assigned wired hosts
192.168.1.200 - printer
192.168.1.2 - old two port router, low side
192.168.2.1 - old two port router, high side
192.168.2.21..25 - test computers with fixed IP addresses
192.168.1.3 - wireless SOHO router, low side
192.168.3.1 - wireless SOHO router, wireless side
192.168.3.31..35 - DHCP assigned wireless hosts
By using discipline in subnetting I have a much easier time troubleshooting problems, plus I've created a few "layers of defense" in my home network. On the wireless SOHO router, I do the following for wireless protection:
- Turn off SSID broadcast
- Use MAC address filtering
- Turn on 128-bit WEP
- Keep the router at or below ground level
- Limit the number of DHCP licenses to only what I need
- Change the default frequency (channel) to one that is not used by my neighbors
Why put the wireless SOHO router below ground? Well, wireless signals are at 2.4GHz if you are using 802.11b/g service and at that frequency they don't travel very well through dirt. So if the router is below ground, the signal is fine inside the house, but drops off significantly more than a few feet away outside the house. This is yet another "layer" since it makes war driving from the curb very difficult with standard antennas.
One other item for home users. If you have one of the popular SOHO routers (Linksys, Netgear, DLink, etc.) the odds are good that they can create logs for the DShield service. See the how-to page over at DShield for instructions. I use the wired SOHO router to create my logs, from the router they go to a desktop computer with a fixed IP address, then that computer submits them to DShield once an hour. By logging into DShield I can see graphically what is coming at my home network based on what the SOHO router is logging. Very cool!
Have you got any other useful tips for home or small office wireless routers? If so, send them to us via the contact page and we'll post additional ideas here.
UPDATES
Chris suggests:
- Change the SSID to something other than what the manufacturer provided
- Make sure that you also change the default password(s) on the router
- Use WPA or WPA2 if available (I know that WEP is "crackable" but you've got to have a lot of packets to do that. Most home networks are not that noisy so you force an attacker to use additional tools to create traffic. Remember the idea here is to use whatever the best tool is that you have, WEP is better than nothing, WPA is better than WEP and WPA2 is better than WPA. TKIP gives you bonus points.)
Pedro pointed us to a nice URL:
- Wireless LAN Security Guide
Ned expanded on the DHCP limits idea:
- You could use a restrictive subnet mask (eg, 255.255.255.248 if you only need 6 IP addresses) to further limit the number of actual IP addresses available on the subnet to just those needed. Once these have been assigned, a hacker can't connect if there's no more IP addresses available on the subnet, and how many SOHO users actually need the full range of 254 IP addresses normally available by default on a SOHO router.
Andrew sent us these ideas. Some of them may be a stretch for home or small business users, but good ideas to think about:
- Set speed to 802.11g ONLY. Prevents 802.11b clients from connecting and may prevent some injection and replay based attacks that use Atheros based 802.11b cards. This can be done on a Cisco 800 series router using the "speed ofdm-throughput" command in Interface conifiguration mode.
- Utilize egress and ingress ACLs and IP inspection on Cisco wireless routers. Inspection and CBAC (Context Based Access Control) can really help you lockdown what "gets out" from your machines to the Internet. As much as we like cool apps, most of them are really phone-home friendly. Also, only return traffic from internal requests will get back into the network.
- Disable "Ad-Hoc" or "Peer-to-Peer" connections on your wireless card. No need to be able to connect directly with other wireless machines!
- Turn on a host firewall such as Windows Firewall. I personally use Zone Alarm.
- Use SSHv2 to manage the router, if available.
Marcus H. Sachs
Director, SANS Internet Storm Center
MORE UPDATES:
Dr. Neal Krawetz makes some additional useful points (which I've edited very slightly):
I suggest putting the WiFi as the outter wall of the DMZ.
cable modem <-> Wifi <-> DMZ <-> Wired <-> LAN
This way, if your Wifi does happen to get used by someone else, they cannot get into your home computers. This is a good solution if you don't need to access shared drives. (I have rarely come across homes with multiple computers that actually use shares -- most have it enabled but don't use it.) I do allow LPD from the Wifi to the Wired so I can print -- an attacker could waste my paper and toner, but not delete my data.
Regarding antenna placement, I fully agree with you: a basement is best. Choose a corner that is surrounded by dirt. If you don't have a basement, consider placing the Wifi near the front of the house and have a fish tank (or refrigerator) between the Wifi and the street. Your neighbors will see the signal, but war drivers probably will not. Also consider a metal hood (or aluminum-lined shoebox -- either properly grounded) to limit signal propagation. And whatever you do, don't put the Wifi on the 2nd floor if you can help it.
This may sound odd, but 802.11a is sometimes better than 802.11b/g. Since 802.11b/g is more common, running 802.11a is effectively security-by-obscurity. As long as the attacker does not see you, you're safe. [NOTE FROM ED: Please do not inundate us with a tired debate about security through obscurity... we've heard it all, and we've all come to the conclusion that I am right.]
As far as encryption goes, WEP is better than nothing and will deter most wardrivers. If someone wants to crack your WEP then it's because they want "your" network and not just "a" network. WAP, TKIP and other encryption systems are better, but you may not have compatability with all wireless computers. MAC authentication will slow down an attacker, but also isn't bullet proof. Then again, security is a measurement of risk: for most homes, WEP + MAC filtering is more than good enough.
Your other tips, like disabling the SSID broadcast, limiting DHCP hosts, and changing default settings is right on the money. Also, add in: disable Wifi configuration from the Wifi network (if your router has that option), set a non-trivial admin password on the router, and disable ping-from-WAN (good for all routers).
-------
Good stuff. Thanks, Dr. Neal!
---
Ryan Merrick pointed us to this URL, where some configs are described that can let you really mess with the head of someone surruptitiously using your wireless network, flipping their pages, reversing fonts, and blurring things. I don't recommend this, but it is an interesting idea.
--Ed Skoudis
Intelguardians
Keywords: ToD
0 comment(s)
FAQ on PowerPoint 0-day
As was reported yesterday, there seems to be a new issue with PowerPoint. Reader Juha-Matti has put together a comprehensive FAQ about the situation. He is soliciting comments via his FAQ page, see the links at the bottom. More details coming as this develops.
Marcus H. Sachs
Director, SANS Internet Storm Center
Marcus H. Sachs
Director, SANS Internet Storm Center
Keywords:
0 comment(s)
More Email Tips
After Brian posted his Tip of the Day on email policies, we received an excellent set of ideas from reader David. Here's what he said, and they are pretty good tips. Thanks, David!
1) Use throw-away addresses for web-registrations, and other similar venues. A good way is to own your own domain, setup a catch-all forwarder for email to that domain, and then use the company name as part of the throw-away address (amazon@yourdomain.com for Amazon, tomsbestdeals@yourdomain.com, for TomsBestDeals, etc). This allows you to instantly recognize what the email is about, who sent it, or who sold it to a third party. Also, it seems spammers clean their spam lists of their own domains and customers' names, so this approach automagically keeps you off spammer lists. For those without domains, there are free services, such as www.sneakemail.com.
2) Use a simple filter for your inbox: If sender is NOT already-known (in address book, or in previous recipients), file in a New-Contacts folder. This leaves your inbox clean of spam, without worrying what the spam actually looks like. A quick scan through the New-Contacts folder can reveal new contacts and spam. Additional rules to identify specific problem spam (and send to a Spam folder) can also be applied. New contacts can be either replied to (so they become "previous recipients"), or added to your address book.
3) Use a variation of (2) for company-wide filtering:
a) Don't accept email for unknown addresses. This forces the outside server to create any bounce messages, and if that server is a spammer, the spam disappears.
b) Depending on the company needs, either don't accept email from unknown addresses, or limit what a previously-unknown address can do. Use your logs to populate a "previous recipients" database, a "known-good-sender" database, and a "known-bad-sender" database. The known-bad senders get rejected, the known-good senders get very relaxed thresholds (can send more mail per second, etc), the previous-recipients get somewhat relaxed thresholds, and everyone else gets restrictive thresholds (only 1 message per minute, for instance). Adjust to taste.
4) Do as much filtering based upon "protocol" as possible (as opposed to filtering based upon message content). Spammers change message content constantly. Spammers cannot do their jobs unless they send lots of copies of the same message really quickly. This generally means multiple recipients per message, and multiple short messages per connection. This also means there is likely to be a greater than 1% rate of bad addresses, as spammers' lists are not generally perfect.
5) Encourage TLS and DKIM use. Spammers tend to use botnets, which are unlikely to use TLS or various encryption/signing methods.
2) Use a simple filter for your inbox: If sender is NOT already-known (in address book, or in previous recipients), file in a New-Contacts folder. This leaves your inbox clean of spam, without worrying what the spam actually looks like. A quick scan through the New-Contacts folder can reveal new contacts and spam. Additional rules to identify specific problem spam (and send to a Spam folder) can also be applied. New contacts can be either replied to (so they become "previous recipients"), or added to your address book.
3) Use a variation of (2) for company-wide filtering:
a) Don't accept email for unknown addresses. This forces the outside server to create any bounce messages, and if that server is a spammer, the spam disappears.
b) Depending on the company needs, either don't accept email from unknown addresses, or limit what a previously-unknown address can do. Use your logs to populate a "previous recipients" database, a "known-good-sender" database, and a "known-bad-sender" database. The known-bad senders get rejected, the known-good senders get very relaxed thresholds (can send more mail per second, etc), the previous-recipients get somewhat relaxed thresholds, and everyone else gets restrictive thresholds (only 1 message per minute, for instance). Adjust to taste.
4) Do as much filtering based upon "protocol" as possible (as opposed to filtering based upon message content). Spammers change message content constantly. Spammers cannot do their jobs unless they send lots of copies of the same message really quickly. This generally means multiple recipients per message, and multiple short messages per connection. This also means there is likely to be a greater than 1% rate of bad addresses, as spammers' lists are not generally perfect.
5) Encourage TLS and DKIM use. Spammers tend to use botnets, which are unlikely to use TLS or various encryption/signing methods.
Keywords:
0 comment(s)
×
Diary Archives
Comments