[NTLUG:Discuss] Wireless Home Network -- Deny-all incoming firewalls are not enough

Bryan J. Smith b.j.smith at ieee.org
Sun Jun 27 11:46:30 CDT 2004 

Lance Simmons wrote:  
> If I attach my wireless router directly to the Internet, I'm counting on
> D-Link having a safe firewall, because now anyone on the Internet can
> attack my wireless router.

There is no such thing as a "safe firewall."  Firewalls mitigate risk, but
firewalls also prevent legal access.  A _true_ firewall not only prevents
any incoming access, but limits _outgoing_ access too.  Unfortunately, 99.99%
of firewalls that are deployed do not limit _any_ outgoing access.

This is the essence of the Valve crack.  An executive running MS IE/Outlook
downloaded a _well_known_, auto-installing trojan, one that there is still
_no_fix_ for  MS IE/Outlook (like several hundreds).  From there, the "phone
home" program established a _full_ VPN connection into Valve.

More serious of an issue was not only that Valve's source code was stolen,
not only that Valve didn't discovered it _until_ the code showed up on
UseNet, but the _additional_liability_ because other, 3rd party code
(Microsoft, idSoftware, etc...) was also leaked to the Internet.

Everyone is going to get hacked.  The question is not when.  The question is
partially, how can you prevent it, but more important still, is how do
you know if you have been?  That means you need to limit outgoing connections,
_and_ install an intrusion detection system (IDS).  Not just on your host,
which can be bypassed/disabled, but on your network firewall.

IPCop is one such solution:  
  http://www.ipcop.org/cgi-bin/twiki/view/IPCop/WebHome  

An recent article on IPCop 1.3.0 was here:  
  http://www.samag.com/documents/sam0402a/  

The original article which covered a lot of the outgoing filtering, IDS and
liability portions in the original submission were snipped from that final,
published version (for size considerations).

> If I put the router behind my own firewall, then an attacker _from the
> Internet_ would have to go through my firewall and then through the
> router's firewall to get to my wireless network.

To use two firewalls can actually be worse sometimes because anyone who
gains access to the middle could do anything they want to traffic as it
passes in between.  E.g., they could now commit "man-in-the-middle" attacks
against vunerable protocols.

I'm not saying multiple firewalls are bad.  They have their purpose.  In
fact, I'm a _huge_ proponent of the multi-tiered LAN, with multiple levels
of increased protection for mitigating risk to more sensitive data.  For
most companies in the post-HIPAA and other legislative enactments, it is
not optional -- yet many treat it that way.

But in the case where you have simply one, common access over multiple
mediums, it should be a single firewall with multiple zones.  IPCop 1.4.0
is in beta right now, but introduces a 4th "BLUE" zone for Wireless.  You
can read about it in the 1.4.0 documentation here:  
  http://www.ipcop.org/1.4.0/en/install/html/decide-configuration.html  

> Since I think there are orders of magnitude more potential
> attackers coming from the Internet, I'd rather not expose my wireless
> router to the Internet.

But what does your wired router offer in protection over your wireless
router?  The $60 Linksys WRT54G is a Linux 2.4 box with a MIPS processor,
and host AP software.  It's probably more advanced that most of the boxes
sold prior, although most newer boxes are from Bromaxx as well.

> Again, I'm new at all this, so I'd like to learn what other people have
> done or think about this topic.

I'm running IPCop 1.4.0 beta 3 in a test environment in my house right
now.  Beta 4 is the latest, and will probably be the 1.4.0 release if
nothing else is found to be an issue.

For IPCop 1.3.0 on my production home network, I'm using the "ORANGE"
(DMZ) as a temporary "BLUE."  I'm using a true IEEE802.11G AP, and not
a "router" for various reasons, even though it cost me almost 2x as much
at the time.

You'll want a beefy (Pentium-class/64MB RAM minimum) IPCop box if you
enable Snort on it.  I wouldn't enable Squid Proxy on it though.  It's
not worth putting Squid on the same system as your NetFilter/Snort box
(at least if you have more than 2 systems, like on a small business
network), and I'd just put a dedicated box in the ORANGE (DMZ) for Squid
or, on the cheap, just use your file server.

And don't forget to check those Snort logs!  They are _useless_ if you
don't!  Found a subseven variant at one site, and then I got bitched out
because the people thought they could keep downloading and running
things "as usual" because they thought they were protected (doh!).

-- Bryan

P.S.  I really _hate_ the term "router" since most of these black box
devices are _not_ in the traditional sense.  But I noted that the
Linksys WRT54G _does_ include routed in its Linux cramfs or disk
image(s), and has the ability to do RIP, so I guess it is a "router." 
;-ppp

-- 
     Linux Enthusiasts call me anti-Linux.
   Windows Enthusisats call me anti-Microsoft.
 They both must be correct because I have over a
decade of experience with both in mission critical
environments, resulting in a bigotry dedicated to
 mitigating risk and focusing on technologies ...
           not products or vendors
--------------------------------------------------
Bryan J. Smith, E.I.            b.j.smith at ieee.org

More information about the Discuss mailing list