Topic: Security, so what?

I've made some changes to the topography of my network at home.  We (my wife and I) no longer have any windows clients, samba shares, nfs mounts, etc.  So I have to ask myself, is there any real reason to worry about security of my wifi anymore?  Since every box has it's own firewall running, the router has a strong password, etc, would it even be of real concern if someone was able to crack my relatively strong WPA passcode?  Sure, we all want WPA2, but....
Any thoughts?
Thx, Kyle

Re: Security, so what?

They can still get on your network and sniff your traffic.  If you are POP3ing email then there goes your accounts.  They can use your network printers.  I would use nmap on each machine to be sure you have all ports how you like them.  My other question is why use wireless at all?  That seems like a lot of work for a single service that I bet you don't really need.  Having "open" wireless means you also get to take responsibility for ALL traffic that runs through your network. But...I better let you go. I think the FBI is knocking on your door and they have a few questions about your surfing habits.

Re: Security, so what?

LOL, good response with the FBI.
POP3 (or IMAP) is something I wanted to offer (to myself) soon, so very good to know.  However, so long as I'm not using any hub technology, is it really sniffable when that traffic is on ethernet of the same network?  So I use wired for everything except the notebook.  I like using the notebook elsewhere in the house...
I've never looked into it, but is there an easy way to require a user name and password for network printing?

And of course the last consideration, if my neighbor has an truely open network, do I need to worry all too much about someone having to actually do work to get into mine?

ps: topology:

Cable Modem ----- Wired Router ------ Wireless Router (no dhcp, acting as a access point)
                               |          |
                        desktop     server

Re: Security, so what?

There are many ways to pull data out of a network once inside.

Yes printer can be set to require auth but it depends on the printer or print server.

Hackers are lazy so you are probably OK. But do you want to plan your security around what your neighbors might do?

Re: Security, so what?

I'm very paranoid about my wireless. I have a friend who was harassed for 8 hours by the feds because the previous tennants in his house had an open wireless network and someone was surfing kiddie pr0n through it. They hadn't been in the house more than a week when they got the 5 am knock. Everything panned out in the end because my friend was able to convince them he had just moved in and wasn't responsible, but still, an eerie lesson learned at another person's expense... Secure your wireless network as well as you possibly can, and test it often. The harder a target you can make it, the more likely a stumlber's going to take a pass on your house for the Jones' up the street who still have their default passwords set and no encryption. Trust no one, use mac based filtering as well as encryption, and watch your logs for suspicious traffic. Heck, if you do it right you can dump the logs into something like splunk and make them easier to manage.

As for pop/imap, I'd go w/pops or imaps. Use that ssl encryption You can also cheat your little behind off if you use fetchmail. Set up a ssh tunnel to your pop server and you're only passing your password plaintext over your localhost connection. It's excrypted before it ever hits the wire.

Here's a quick howto using openssh. You will need to set up a key with a null passphrase to make this work correctly in this configuration:
(add this in your .fetchmailrc)

poll localhost with protocol pop3 and port 11110:
        preconnect "ssh -f mailserveriporhostname -L 11110:mailserveriporhostname:110 sleep 5"
        password yourpasswordhere;
        options keep

The port numbers are more or less arbitrary on your end, as long as the tunnel connects to the pop server or imap server at the other end. I run multiple tunnels for multiple users on consecutive high ports and it works out pretty well. commands for f-suck vary slightly, you have to fiddle with it a bit. the nice thing is that in order to beat this, someone has to compromise your machine to the point that they can sniff traffic on localhost, and on top of that, they have to be smart eough to check and see if you're doing something like this anyway.

Last edited by nox (2007-02-26 22:22:01)

"The two most common things in the universe are hydrogen and stupidity."
--Harlan Ellison

Re: Security, so what?

A quick real vpn is a quick fix to secure wireless.  ssh can be used but is not the best choice.