WiFi security onboard?

[FrankZ]

This reply isn't meant for any one post but just summing up thoughts from multiple ones.

A hardware firewall buys you more than just performance, though that is certianly a useful bit. It buys you an extra layer. Security should be done in layers. With a hardware firewall (I use Cisco PIX at home) it is first and foremost run on a dedicated OS that isn't designed with open access in mind (like most user based OSes) and as such is harder to compromise. If it is compromised it is just one layer. You still need to penetrate further. Also all hardware based firewalls I have used offer off box logging. This allows me to track potential attacks as well as see any compromises.

There are different flavors of firewall. Statefull inspection is one method. This looks at source and destination address and ports. If a rule allows the combination of address/port then the traffic is passed. This is the fastest way to do this (other than just sheer routing which isn't a secure thing).

We can layer onto this a proxy level (or layer 7) firewall. These, by nature, are slower as they not only look at stateful inspection but they also look inside each network packet. They can then make descisions based on content and flags to allow or disallow traffic (a packet with the FIN and ACK flags set are illeagal). As this is a much deeper and intensive process it is best to use this in low usage networks or as a second layer defense.

With a hardware firewall you can also create VPNs. VPN is a Virtual Private Network. The idea is, basically, to provide a mechinisim for both integrity checking (is the data flowing to and from who it says it is and has it been changed in transit) and encryption (scramble it so without the proper keys it can't be read). Along with this you also have key generation and changing. A encryption key is no good if it never changes, eventually it will be broken with enough resource thrown at the process.

Interestingly most people view a VPN as useful between to firewalls/hosts across a public IP network. (The Internet is a public IP network). They are also useful across a private network. In larger enterprises one might use a VPN tunnel to move traffic from finance to marketing or RD information across the larger network. This process can be applied to a home user where you VPN to your firewall from inside and then allow the traffic out to public sites. It might be considered paranoid but do get paid to be paranoid.

Of course all this changes when the packets leave your boarder and go to a device not under your control.

People hack for many different reasons. Some want the thrill. Some want revenge. Some want real money. I have seen people shop lift penny candy.

It isn't just an email account they want. They might want it for spamming, or to see if you keep your bank account password in there. They may want it to by pass the filter an ex has blocking messages from them.

One thing hackers do want is access. You are legally responsible for the traffic leaving your network. This can be mitigated with due dilligence. If you drop broadband or digital circuit into your network then set up all your machines directly connected to it, fail to patch and don't monitor it and it is used for illegal activity (scanning the DoD looking for vulnerabilities) you are the one they are coming to look at. If you follow reasonable practice they may still knock on the door but you may not be the target of the shock and awe. This also applies to file sharing. I have found compromised networks that were nothing more than large storage for pirated movies (Spy Kids 2 German version made me laugh). If you are not protecting yourself you are responsible for possing illeagally copied content as well.

Patching is also vital. Even the best firewalls can't keep everything bad out (though some proxy level ones can look for known attacks like Nimda). They also will not be able to stop zero day attacks. Keeping security patches up to date is cruicial on anything that is connected to the network (and this does include PDAs, MP3 players, network printers etc.)

Monitoring is also important. Most firewalls (software and hardware) will log. Looking at them to understand what is general noise on the line and what is the precursor to an attack is important. Having a device that can do some semblence of intrusion detection (ID)is useful. These watch for attack signitures much like a virus scanner looks at files for infections. Again I favor dedicated hardware for this, though even software based is better than nothing. Some will go further than just monitoring and take active measures to help prevent intrusions (IP) by blocking ports or adddress, tearing down sessions, sending TCP resets, or shuting down a boarder device.

This is a little long, so I do aplogize for that.

If there are more questions I will be hunkered over my desk now.

[ssullivan]

Great post, Frankz! Sums it up pretty well.

[elf]

Okay, I'm a bit confused. At home, I have a LAN with three computers (two wired, one laptop) and a hardware firewall via my Linksys wireless router. I also have no less than three software firewalls on the laptop (Sygate personal firewall, WinXP firewall, and a special firewall for when connected to my work network for remote access, which I use special company-provided VPN software to tunnel to through my DSL connection).

But in the original question, I asked about connectivity while cruising, not at home. I expect I would be using just one computer, a laptop, with a wi-fi card. I don't think I'll be using a router with hardware firewall since I won't have a LAN nor a DSL or cable connection to access the internet. So is it possible have a hardware firewall in this setup? Or VPN access? If so, how?

Thanks -- and thanks for all the good discussion!

Elf

[FrankZ]

Use of a hardware firewall is not based on how many hosts you have behind it.

VPN access is based on both endpoints but again you should be able to use either the hardware firewall as the end point or the host behind it for VPN. I will point out that a solid firewall can be difficult to push a VPN tunnel through depending on the standard used. IPSEC can be a bear versus a SSL based one. This can also be compounded by Network Address Translation (NAT) as some VPN Security Associations (SA) use the host IP as part of the identity, which can be masked with a intermeditate device like a hardware firewall.

When you mention you would like contectivity while cruising I am assuming you mean while at anchor or marina. At sea WIFI isn't going to reach far. Do you plan on using an ISP that has WIFI presences where you intend on cruising or were you hoping to find a signal off someone elses network?

[elf]

Quote:

Originally Posted by FrankZ

Use of a hardware firewall is not based on how many hosts you have behind it.

Do you mean that I could/should still use a router? What does it connect to in a wi-fi situation? In my home setup, the telephone line goes into it for the DSL connection. I'm not understanding how it works in a wi-fi only situation. Feel free to talk down to me as I need the "wi-fi for dummies" version.

Quote:

Originally Posted by FrankZ

When you mention you would like contectivity while cruising I am assuming you mean while at anchor or marina. At sea WIFI isn't going to reach far. Do you plan on using an ISP that has WIFI presences where you intend on cruising or were you hoping to find a signal off someone elses network?

The latter. And I didn't really mean at sea, but at anchor, mooring ball, or marina. Basically, wherever I can get a connection. I doubt many US ISPs have a wi-fi presence in the Carribbean, correct? I am currently with Earthlink.

Thanks!
Elf

[FrankZ]

You can still use a hardware device, it might get tricky as most hardware firewalls use a wired outside (not protected) interface. One could possibly get around that with a wireless bridge connected to that interface.

It would certianly be easier to use a software based firewall on a laptop to hop on open access wireless networks. I will caution you that just because someone has left it open doesn't mean it is legal to use them and I would be much more cautious about the traffic you send over a borrowed network.

Travel access from an ISP may prove expensive. I know AT&T provides global dialup and wireless access. I don't know the rates but we have eyed it and it isn't cheap. Work just provided me an aircard from Cingular which can have an international plan at about $149 a month but since it is cellular it dos incur 'roaming' charges though they are based on traffic not on minutes. The card has worked well thus far around town with approximately T1 type speed.

Are you looking to work? Is this just for email? Do you need to keep up with the latest Paris fashions on the web? Do you worry your Second Life character will get lonely? Part of the solution is understanding the requirements.

[ssullivan]

While Frank knows his stuff, I would like to tak a crack at some of your questions as well:

First, you asked about connecting a hardware firewall. Frank is right. You can use something called an "ethernet converter" to bascially "convert" (very loose terms here) your WiFi signal to standard ethernet traffic. You can then install the firewall between this "ethernet converter" and your router, if any. Personally, I have an "ethernet converter", then my router, then a Linksys which is currently locked down by MAC address due to very limited bandwidth. We use our laptops and WiFi cards to access the internet through that Linksys. I run the Linksys without antennas so it has poor range. This is a BAN (or boat area network... lol). What a geek I am!

So anyway, there is WiFi all over the Caribbean. In many instances, it's just an open 802.11b network that is over at a cyber cafe. You normally walk up to the place and use your laptop right there at the business. However, depending on your setup, you can also use it from anchor. If you do, I would suggest giving the little business some extra purchases, etc... as they are trying to make a living.

I live at anchor 6-8 mos out of the year. In case you all haven't noticed by my numerous and annoying posts, I have WiFi the whole time, no matter where I go.

[FrankZ]

Just to be percise. A wireless bridge is the 'converter'' that Sean is talking about, though you are only converting layer 1 (physical media). WIFI is Ehternet. It just uses a different layer 1 than a wired Ethernet.

Ok, I have been out of the water for a month now. I am really ready to get the bottom of the hull wet. Is it April yet?

[elf]

Quote:

Originally Posted by FrankZ

Travel access from an ISP may prove expensive. I know AT&T provides global dialup and wireless access. I don't know the rates but we have eyed it and it isn't cheap. Work just provided me an aircard from Cingular which can have an international plan at about $149 a month but since it is cellular it dos incur 'roaming' charges though they are based on traffic not on minutes. The card has worked well thus far around town with approximately T1 type speed.

Currently I have a dialup Earthlink account that I use for email through my DSL account, which is with my local telco. I have Outlook Express configured to access my Earthlink's POP/SMTP servers for email, but my access to the web is through my local telco. I kept the Earthlink account even though the DSL account offers email accounts in order not to change my email addy with everyone in my address book, all my e-commerce accounts (I do about 90% of my shopping online), mailing lists, etc.. I have been able to use my Earthlink email from hotels (through the hotel's wired broadband or Wi-Fi networks) on our travels for Outlook email, no problem. Once I am on the internet by whatever method, it just works. That's all I would be considering doing, not trying to actually connect to an Earthlink dialup number from afar, which would be cost-prohibitive. I would probably be using cyber-cafes and other hotspots for access, whatever is available, not only connecting from a boat, so all the extra equipment to provide a hardware firewall doesn't seem practical or feasible for that type of connectivity. I'm just trying to figure out the logistics of this if we are to pursue our cruising dream in the years ahead.

Quote:

Originally Posted by FrankZ

Are you looking to work? Is this just for email? Do you need to keep up with the latest Paris fashions on the web? Do you worry your Second Life character will get lonely? Part of the solution is understanding the requirements.

Work, no; Paris fashions, no. Email, blogging about our travels, uploading photos, occasional e-commerce, web research, perusing forums like this one occasionally, banking through secure sites, etc... yes, on occasion. I don't expect to use my computer as much while cruising as I do in my daily land life, but let's face it: once a geek, always a geek.

And I was definitely thinking/asking about using "designated" wi-fi access points rather than an individual's ad-hoc network that was left open. I prefer not to use the latter, for a variety of reasons -- legal, ethical, and security-related.

Thanks,
Elf

[ssullivan]

FrankZ - just trying to keep this at a level that semi and non-technical people can understand. If you Google an "ethernet converter", you come up with the correct product. This is indeed what the manufacturer of mine calls it and is the proper name in the case of the product I have.

But talking OSI model in a non-tech forum? You just lost any readers you had.

Quote:

Originally Posted by FrankZ

Just to be percise. A wireless bridge is the 'converter'' that Sean is talking about, though you are only converting layer 1 (physical media). WIFI is Ehternet. It just uses a different layer 1 than a wired Ethernet.

Ok, I have been out of the water for a month now. I am really ready to get the bottom of the hull wet. Is it April yet?

[ssullivan]

Elf,

Your last post sounds about right. That's what most people do. They have a laptop aboard in a waterproof case that they take ashore to a cyber cafe or some other WiFi hotspot. No different than stitting at Starbucks, except the people and surroundings are much better.

In my time in the Caribbean, I haven't heard of or seen one person who complained about having their email account broken into, bank info compromised, etc...

I did the "walk the laptop ashore" routine myself, as the megayacht I was working on had satellite, but it was slow and expensive. I simply used my AirPort (Macintosh WiFi) card and didn't keep passwords or major personal data on the machine, just like at home. Banking was done via SSL/HTTPS, and there were no issues. People are mellow in the islands. All the craziness of the States will soon melt away for you and you'll forget you even were worried.

[FrankZ]

Sean: I do have that problem at times. I have worked hard to dumb it down as I have to explain to execs why they are spending $50K on something when what we have, in their eyes, works. I suppose it is like trying to explain why you are pulling those ropes on the boat to people who have never sailed before.

Elf: For what you are talking about then I would just go with a software solution. Just be sure you keep things up to date with patching. Also be wary of what you are doing when using a 'found' wireless network. Again, I do get paid to be paranoid, but there is a practice where bad guys provide a network with the intention of sniffing the traffic. Mostly I have seen this type of thing in airports where they set up a wireless network using the airport advertised SSID then present you with the same log in page the airport would. When you login or purchase the access you give them the details they are looking for.

Also Earthlink does have international dial up access. It does cost per minute of use but it might be the ticket when you are somewhere you can't get anything else. You have to add that to your account plan beforehand.

[rtbates]

More importantly if you have a WIFI hub at your house/boat be sure you set all security options. The last thing you need/want is for someone to use your wireless router to access say kiddy porn. When I set up my wireless hub at the house I found that I could access four neighbors hubs w/o getting out of my chair. There are real people out there who roam around searching for unsecured WIFI hubs.

[FrankZ]

Quote:

Originally Posted by rtbates

More importantly if you have a WIFI hub at your house/boat be sure you set all security options. The last thing you need/want is for someone to use your wireless router to access say kiddy porn. When I set up my wireless hub at the house I found that I could access four neighbors hubs w/o getting out of my chair. There are real people out there who roam around searching for unsecured WIFI hubs.

This is also a good point. 128bit WEP is a bare minimum. WEP in itself has some fundemental flaws that allow it to be broken in trivial ways. It needs to be augmented with WPA or other protocols. WPA2 is nice, but not all wireless cards will handle it well.

I also, personally, like to MAC address filtering. With it only wireless devices you add can attatch to the wireless LAN. Yes, they can be spoofed, but again this is security in layers.

[hellosailor]

iPIG - iOpus Private Internet Gateway - Protect data in open WIFI, WLAN, WEP, WPA, 802.11 a/b/g, LAN networks
This is the kind of "public VPN" WiFi tool I'm talking about. I don't know that company or recommend them in particular, I just point them out as an example.
They offer a VPN connection that anyone can use. When you are connected to the internet via an "unknown" WiFi connection, this replaces the default internet gateway with a VPN encrypted connection to the vendor's server, which is assumed (ha) to be secure. Essentially, everything you are sending through the local WiFi cafe is gibberish and therefore immune to casual hacking.

That's an added layer of security for your data--regardless of whether you are using https pages or other encryption for banking, etc.

It doesn't relate to whether you can be hacked, or someone trying to enter your machine, which is a whole other issue.

Whether you run a dedicated hardware firewall (Like the Cisco) or a router with both an Wifi bridge and firewall integrated into it (which most "Wifi Routers" have today) or how you mix and match the pieces. As long as you DO have at least one firewall of reasonable effectiveness.

WPA encryption is good, but you won't find it on a "public access point" since encryption bars the public. WEP encryption is useless, there are tools to break it in under five minutes, sometimes 3 minutes. A little paranoia isn't a bad thing.<G>

I'm told that in the EU banks are requiring token security devices (i.e. RSA's "Secure Access" or other systems that require you to enter a changing code from a token) because they expect https will not be secure enough long enough. In the US, corporations are too cheap and too unconcerned about personal data loss, overall they have no motivation for any real security.

Elf, if you talk to your corporate IT guys (buy 'em lunch<G>) about using VPN and staying secure from public WiFi access points, I'm sure they can give you a short list and on a slow day, maybe even set it up for you.

Some of the vendors like iPig will be "for real". Some will be crooks themselves. And others will be CIA-type fronts, trolling for data folks want to conceal. (Hey, that's their job.) Caveat emptor, unless you're setting up your own from home.<G>