Re: Maybe OT - Home Network issue



On 07/01/2012 20:49, Jeff Liebermann wrote:

Ummm... Please explain to me how opening 3 ports to a specific device
(web camera) can open the entire network to hackers. Unless there is
a security problem in the web camera (it does happen), I don't see how
this can be done.


Yup, security issues in firmware. It does depend on the hardware, and frequency that manufacturers apply firmware updates for security issues. A buffer overrun is a common exploit to crash hardware things, and inject software that could do some further exploration, find access passwords or inflict some damage. Laser Printers have been shown to be particulary vunerable to exposing sensitive commercial information, but that's really a risk for the office enviroment.

Incidentally, I'm amazed at how many cheap routers hang with this
rather old tester:
<http://www.pcflank.com/exploits.htm>


I have a network here that is exposed to BitTorrent/P2P transfers. After a session of that, the router is not that stable and needs restarting. Buffer overrun or over heating suicide? Router firmware is up to date, caps changed in PSU and the box has a fan (bit weedy though). I probbably need to change the router.

Your connections will
also drop if the external ISP engages to block or traffic manage these
ports - some do.

Most block port 25 (SMTP) to discourage spam relays and users running
their own mail servers. There are also a few that block or throttle
BitTorrent and other forms of file sharing. However, that's done by
sniffing the traffic, not by any specific port number. A few block
port 80 (HTTP) for no rational reason. Except for the various
satellite providers, none that I know about block any other incoming
ports.


They do. I occasionally use Mobile Broadband when I'm about where I find some ports blocked beyond SMTP. Some UK ISPs (mobile & fixed line) traffic manage all sorts of ports applying different QoS priorities to keep some of their users happy. Some even peg down Usenet traffic as it could be (and is) used for huge binary transfers, to the detriment of those like me who use text groups.

If you're worried about outside hackers, they're far more likely to
pound on port 8080 (remote admin) on the assumption that most users
don't bother to change the default password on their router.

That is if the router is showing a login page WAN side. I know our ones don't :)


If you have a machine permanently running on your network, or you can
make one start remotely, install a VPN endpoint service on it. There are
many to choose from - I use OpenVPN on a linux box.

Yep. That's secure. It can also be done on the WRT545G using
alternative firmware (i.e. DD-WRT). The problem is that the WRT54G
lacks sufficient CPU power to run more than one VPN tunnel at a time.
Seems a bit too complicated a solution to secure just a web camera.

OK, there are easy VPN solutions. OpenVPN is my choice, a little tricky to configure but then I'm a bit of an OS configuration geek.

Incidentally, both my office and home networks are on static addresses
(also known as the perfect target), and probably have 15 assorted
ports forwarded to various devices on the LAN's. I also run a VPN
between the two networks. It's been roughly like this since about
1995. No problems with hackers, except when I left IPP wide open, and
someone printed a ream of paper on my laser printer.

Whoops.

My firewall logs
show plenty of automated scans, probes and attacks, but no successes.
(Hint: I erratically run my own vulnerability tests.)

I test a lot and find scary things I can't wibble about (which is why I'm down the VPN route).


Then when you are out and about, start the matching VPN client (some
come already built into your OS, or even office router - but sadly not
OpenVPN) and then your packets will route properly into your home network.

Ever measure performance through a VPN tunnel? I don't have the
numbers handy, but as I vaguely recall, there was quite a large
performance hit on thruput in both directions.

Yeah, it sucks a bit. But my data (email, RDP) is not that voluminous to worry about it. Got CCTV DVR stuff here, the pictures are small on the streaming so again not much bandwidth. It would be bad for something more realtime, say like Slingbox.

It's secure, encrypted communications and in my case with bridging
allows my external device to take on a similar IP address to home.

Yep. Small warning about selecting the IP address block for the home
network. You're probably using the default IP address block supplied
with the WRT54G, which is 192.168.1.xxx. If your remote VPN client
just happens to be using the same IP block, there a very real chance
that the IP addresses delivered from the VPN server IP address pool
will result in a duplicated IP address. It probably won't be the
client that is duplicated, but it may duplicate a printer, NAS box, or
in this case, a web cam. If you're going to play VPN, set your home
network to something other than 192.168.[0-2].xxx. Zero is common on
Netgear, 1 is Linksys, 2 is Belkin. I use 192.168.111.xxx and setup
my customers for other creative numbers.

Yup. Ours hangs out somewhere in 10.x.x.x land.


You can then run IP connections to anything and not worry about port
forwarding this, and setting complicated rules for that.

True. You don't need port forwarding with a VPN. However, I think a
VPN is a far more complicated solution than simple port forwarding.


Depends. Once setup I rarely have to fiddle with it, but then I'm using bridging which is easy to setup. Everything just works. Another VPN setup where the internal IP range is not exported requires fiddling with route tables, and maybe is a little faster but fiddly. The route table inside my Windows 6.5 mobile phone drove me nuts - don't go anywhere near Windows mobile products folks if ye are into hacking AND productivity :-|

--
Adrian C
.



Relevant Pages

  • Re: Maybe OT - Home Network issue
    ... network trying one known exploit after another. ... Please explain to me how opening 3 ports to a specific device ... a security problem in the web camera, ... lacks sufficient CPU power to run more than one VPN tunnel at a time. ...
    (sci.electronics.repair)
  • Re: RDP connection via dyndns
    ... Limited to that box's access to the local network and to that user account's access. ... That is CONSIDERABLY less exposure than a VPN connection. ... If you open many RDP ports to many computers as the numbers increase so does the likelihood of an easy to guess local administrator password. ... If you need the capability to RDP to more than a couple of computers on a network it is much easier to manage the security of one VPN port than several RDP ports. ...
    (microsoft.public.windows.server.networking)
  • vpn endpoint inside firewall
    ... When placing a VPN router/server inside a firewalled network, ... My firewall router is a Linksys WRT54G v3.0 running HyperWRT v15c. ... but I'd need to port-forward 30+ ports. ...
    (comp.dcom.vpn)
  • Re: SBS 2003 R2 limited to 5 VPN connections although I have a 30
    ... If it's owned, your network is owned. ... VPN Rule permits ONLY TCP3389 between VPN User IP and Terminal Server, ... no other ports. ... Seems to me that this is MORE secure than RWW. ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)