Editors Notes:
We've been on a bit of a break, but thanks to some
encouragement from Ultimateone and a few others we
are ready to push Part 3 of pimpin' out the door to
you. This one is a little light on whit and a tad
dry. Check back, we'll keep re-working this article
as we have time.
After a little summer hiatus we are back and ready to
roll on the 3rd and final post in this series. If you
followed Pimpin' Part 1 and Part 2 then you are well on your
way to a home network that would make any nerd
proud. Last time around we talked about using an
old PC and IPcop to build your own router and
firewall. In part 3 we are going to go into some
details on customizing IPcop as well as our take
on WiFi networking. So grab a mountain dew and
your copy of the matrix because this is going to
be another geeked out venture deep into the world
of nerdom. Like always, drop us a line or leave a comment
if you have any questions.
At a recent dinner party- yeah even the boys in the
lab get out, sometimes- we overheard a conversation
about MySpace and how the internet is dangerous for
children. While none of us in the Archatechs
corporation claim to be parenting experts, a true
nerd knows there is safety in numbers (specifically 1
and 0). One way to keep children safe is to regulate
what they can and cannot access on the internet. Most
schools- at least those with net access- are already
applying this 'content filtering' to make sure even
innocent web search don't trigger an adult-orented
advertisement or worse. Think of content filtering
like the child lock on the liquor cabinet or the
parental controls on your TV. Perhaps you are just
tired of ads or pop-up sites, no one said you have to
do this for the kids only. Another useful trick is to
control access to selected services based on time or
day. Want to make sure Junior isn't on myspace or
using instant message during homework hours? Just
turn on a rule on IPcop.
The other area we promised to cover this week is
setting up security for your wifi network. Since your
wifi signal may very well extend past your front door
and out into the street, it makes your network an
open target. Really there are two threats: A) someone
accesses your data B) someone uses your connection to
do something malicious. While both come some of other
nasty side effects (like slowing down your
connection) really you have to decide if you are
concerned by either or both threats. Frankly, even
though its our policy to enforce security, we have
had some discussions with people who are just not
convinced. We've heard "Oh, I dont have any data I'm
worried about" or "why would someone hack my
connection with a password, when there is an open
connection from my neighbor". Don't worry, we'll
scare you into following our security logic, keep
reading!
Before we can talk about filters and wifi and tcp and
udp and any other TLA (three letter acronym) we have
to lay some ground work. One of the King Nerds out
there has got to be Steve Gibson of GRC.com. Steve
hosts a security related podcast with
ex-TechTV host Leo Laporte. Steve has had some
great discussions about how home networks, routers
and the internet, in general, works. We suggest
episodes 25-27 and 42 of Security Now. We like to think
of internet routing in terms like the postal
service. In part 2 we mentioned that each router
is like your local post office. Think about
mailing a letter from Washington DC to San
Francisco. When the local postman in Washington
picks up your letter and sees the destination is
1234 Main St in San Francisco he probably doesn't
personally know how to personally get the letter
all the way to San Francisco. So, he takes the
letter back to the post office which knows how to
get it to the post office in San Francisco. That
San Francisco post office gives it to a post man
who knows just were 1234 Main St is. Here's where
it gets fun. Lets say 1234 Main St in San
Francisco is a business with 4 people working
inside. If you want the letter to reach a specific
resident then you have to address it to them. The
postman doesn't know who any of the people inside
are, thats the job of the person in the mail room.
The internet works pretty much the same way. Your
Internet provider (ISP) gives you one public IP
address. That's like your street address for the
internet. But what happens when traffic needs to
reach a specific computer with in your house.
Thats where the router works its magic. It allows
you to share that one public address with many
computers. Now you are asking, right but how is
that a firewall. Well, perhaps that is a term that
is frequently misused, but we won't get into that
right now. What we do need to discuss is the geeky
magic that is NAT- or network address translation.
When you enter www.google.com on the kitchen
computer the router makes a tiny little note "ok,
if any traffic from google comes back, I need to
make sure the kitchen computer gets it". Then
someone in the office trys to go to
www.bbcnews.com and the router makes another
little note. All of the sudden traffic from a
hacker just appears at the routers door. The
router checks all its little notes and says "hey,
no body requested this traffic, I'm just going to
totally ignore it!". That's how NAT router protect
you. By literally dropping unsolicited packets you
are guaranteed to get only the stuff from the
internet that you requested. Its been demonstrated
that a if you put a Windows XP computer right out
onto the internet with no protection that it will
become compromised with spyware and viruses with
in seven to 15 minutes! Putting a simple NAT
router (like our IPcop boxes) in front of your
network will keep your computers safe from most
threats.
Ok, but what if you actually want the
outside world to have access to one of your
computers. For instance, you are planning on building
a Trixbox server for VoIP, but in the mean time you
are using Skype. Well, if your router is blocking
unsolicited traffic and a call comes in, then the
router is going to drop the packets before they ever
make it to your computer. (For the alpha nerds out
there who are shouting 'but what about skype's
ability to traverse NAT routers!' we hear you, just
go with it as an example) In instances like VoIP, or
some games, it may be necessary to allow traffic from
the internet that you didn't specifically request.
Since we know putting a Windows computer unprotected
on the net for even a little while is risky then how
can we expose only a tiny portion of that computer?
Ports. Think of ports like windows in the house. You
wouldn't want to leave your front door wide open, but
it may be ok to allow some fresh air in through a
window. Ports are your computers way of doing the
same thing. For instance, to view this web page you
are talking to our servers on port 80. In order to
bring you this pimptastic content we don't have to
let our servers hang out in the net unprotected, we
just open up port 80 and keep everything else
battened down. Got the general idea? Lets say you
want to access your home Windows XP pro computer from
anywhere on the internet? Just enable remote desktop
(right click on my computer, click on properties and
then click on the remote tab) and open port 3899 on
your router.
In IPcop you access the port forwarding section from
the firewall menu. Just select Port Forwarding.
Pasted Graphic
One of the reasons we like IPcop over the traditional
consumer routers is its ability to preform 'stateful
packet inspection'. That means you can pick and chose
who on the public internet you want to open ports
for. Its not the most secure idea to open access to
XP's remote desktop to the entire world. However, if
you know your IP address or range (ask your IT guy)
then you can allow access to remote desktop only from
your work computer and not anywhere else on the
internet.
But we promised you an article on content filtering a
WiFi and here we are rambling about ports. If you
want to know more about some common ports (or need to
determine what ports to open) check out PortForward. You may also want
to do a few google searches before you open a
port. If it is one that is known to be a security
hazard then you might want to consider an another
plan. For instance, ports 138 and 139 deal with
windows file sharing. Its probably not a good idea
to open your hard drive to the entire world. Also,
security experts are ardent that changing a
services default port is always smart. In that
regard you may want to be able to access your Mac
via VNC remote control. VNC normally operates on
port 5900, but we'd recommend picking something
random like 8764. Normally that would take a trick
or two in the configuration on the VNC server.
However with IPcop you can specify a source port
of 8764 and a destination port of 5900. That means
you can contact your Mac via 8764 on the internet
and never have to change the default settings on
the Mac itself.
Show me the good stuff (only)
We had the boys in the lab check out several of the
filters that are available for IPcop and give us
their opinion. While they liked bits and pieces of
each, there just wasn't a solitary solution that fit
the bill for everything we wanted... but there are
two add-ons that combined make a great content
filter. URL Filter and Advanced Proxy by Marco
Sondermann make a dynamite combination. Advanced
Proxy builds on the Squidguard proxy already
present in IPcop and puts some advanced features
at your fingertips. With advanced proxy you can
specify which computers are filtered and which
ones have unfettered access. You can restrict
access times, types of traffic and more. URL
filter adds even more functionality by allowing
you to block content by types. Simply put a check
box next to "drugs" and IPcop will do its best to
block access to sites relating to drug use or
sales. One of the nice things about URL filter is
the ability to block sites at certain times. Just
enter oscar.aol.com from 3pm - 5pm and you've
blocked AOL Instant Messanger during prime
homework time. Installing both AdvProxy and URL
filter takes a little work under the hood, but we
are here to guide you through it.
First, download both URL Filter and AdProxy from the
links above. Getting the files over to your IPcop box
requires the use of SFTP, or secure File Transfer
Protocol. On windows we like to use WinSCP. While OS X has sftp
built in to the command line tools, for a nice
pretty graphical interface we go with Fugu. Fire up either WinSCP or
Fugu and enter the address of the green network
card in your IPcop box. Its the same address you
use to access the web interface, probably 10.1.1.1
if you followed out lead. Normally SFTP works on
port 22 (like SSH) but in the name of security
IPcop uses port 222, so make sure you change that
in the appropriate place in your client. For the
username, we are going to use the root account-
you do remember the password from the install,
right? Once you've logged in you can drag and drop
the files from your computer to IPcop. We like to
put everything in the root directory, /root/ .
Once you have everything copied over, its time to
get into the command line. We are going to
interact with IPcop via SSH. If you are using a
Mac, just open up the terminal
(Applications-->Utilities--> Terminal). On
windows you can snag a free copy of Putty. Again we are going to
log in as root and we have to change the port to
222. In putty you'll see a place for the port. On
a Mac the command looks like this: ssh -p 222
root@10.1.1.1 .
Make sure you use the appropriate address if its
not 10.1.1.1 . Once you are logged in you should
find yourself in the root directory, if not just
type cd ~ then
press enter. Those two files we copied,
ipcop-advproxy and ipcop-urlfilter should be
present. You can check by typing
ls
then
enter.
Now we have to extract the files. In linux tar/gz
files are like zip files, they are compressed and
contain many files inside. Here are the commands to
extract the two files. Just copy and paste and press
enter/return after each one. Also, you may need to
change the version number depending on which version
you've downloaded.
tar -xzf
ipcop-urlfilter-1.7.1.tar.gz
tar -xfz ipcop-advproxy-1.2.2.tar.gz
To install the proxy server, just copy and paste this
command followed by enter/return.
./ipcop-advproxy/install
note
the leading period, its crucial! After a few seconds
you'll get a message that the installer has finished,
time for the URL filter.
./ipcop-urlfilter/install
Again,
pay attention to that leading period.
Assuming you didn't get any errors, then you should
be good to go. Open a web browser point it at your
IPcop box (probably https://10.1.1.1:445). You should
have two new options in the services menu: Advanced
Proxy and URL Filter.
First, lets check out Advanced Proxy.
A proxy works by sitting on the edge
of your network and relaying requests for websites.
That means that your computer sends a request for
www.google.com, the proxy server intercepts the
request and makes its own. The proxy server then
retrieves google's page and relays it back to the
your computer. The end result is that your computer
talks to the proxy server and the proxy server talks
to internet for you. So why all the bother? Well one
reason is exactly what we are after. The proxy server
can filter offensive or unwanted content. Believe it
or not, a proxy server can also speed up surfing.
Since the server will cache, or store some of the
graphics and information, it can help load pages
faster. Oh, by the way, cache is pronounced like
cash...just a pet-peve that we harbor around the
Archatechs world headquarters. In order to take
advantage of the proxy you have to enable it. If you
are running a blue network for unprotected wifi
clients then you'll see two options: proxy for green
or proxy for blue. If you only have a green network,
then you'll just set the one set of settings. Make
sure to check all of the boxes. We want to enable the
proxy on both networks (we'll talk about some special
blue tricks) and make it transparent. Transparency
means you don't have to configure anything on your
computers or web browsers.
If your ISP requires you to use their proxy as well,
you can fill that information into the next part of
the screen - upstream proxy. Similarly, if you are
using a service such as proxify you can fill in their
proxy information here as well.
Cache management depends on your IPcop hardware. But
if you are using something with more than 256mb of
memory and more than 2gb of hard drive space then
feel free to crank the numbers up. Memory cache is
how much of the RAM (or memory) the proxy server will
use. Remember RAM is always faster than hard drive
storage, so throwing a little more RAM at the proxy
server will help- especially if you have a lot of
bandwidth. We like at least 250 - 500 mb of hard
drive cache. Think about the cache like this: the
proxy server goes to google and says "hey, I have
this copy of your logo that is a week old, is there a
newer version? No, ok, I'll use my copy, don't send
me a new one". Thats where that little speed
advantage can come into play. Believe it or not, that
little exchange is often faster than just requesting
a new version of the graphic logo file outright.
Restricted Air Space
The next section, Network Based Access Control,
allows you to specify specific computers which have
totally unfettered (or blocked) access. For instance,
if you want to make sure the computer in your home
office is never filtered (the proxy doesn't apply)
then you can add it's IP to the unrestricted IP
address section. Similarly, if you have a device that
you never want to access the internet, place its IP
in the banned range.
The next section also deals with restrictions. Adding
time restrictions allows you to effectively turn off
the internet for your entire network. Since you'll
probably want to do that on a per-computer basis, we
are going to revisit that with the URL Filter. The
download throttling can be especially useful. If
you've set up a blue network with an unprotected WiFi
access point, then you can provide free internet
access for neighbors and guests. Thats a very
magnanimous thing to do, and we encourage it (if your
ISP and local laws allow it). However, of generosity
only extends so far. Its no fun if someone is
stealing all of your bandwidth. In other words, if
the kid down the street is downloading movies all day
and night on your connection, that doesn't leave much
speed for you. Similarly, if someone with a computer
infected with malware/spyware joins your blue
network, they could unknowingly be used to attack
other computers on the internet. Limiting how much
traffic they can send and receive just makes sense.
How much you limit each connection is up to you. On
the green network it may not be necessary to limit
connections at all. However, if someone in the house
is a heavy user and you find speeds elsewhere to be
unacceptable, then you can place limits on the green
network as well.
Here we've limited the entire blue network to about
one megabyte per second. We also limited each
individual computer on the blue network to only
one-half a megabyte each. That means the entire blue
network cannot exceed 1 megabyte/second and each but
each individual computer only gets one-half a
megabyte. Since broadband is considered to start at
256kbs (or 1/4 megabyte / second) then we feel like
that is ample for a guest.
The last few sections of the Advance proxy deal with
advanced settings. To learn more, check out the
documentation here. The
authentication section will become interesting
when we discuss the Fedora Directory Server- but
thats another post coming soon.
URL Filter
Before we leave the advanced proxy,
make sure to enable the URL Filter. Its towards the
bottom
Now select URL Filter from the services menu in
IPCop.
Right off the bat you can block entire categories of
content for every computer on your network. Blocking
ads for every computer may make sense, but you may
not want to categorically deny everything to
everyone- we'll get to that.
The custom black and white lists allow you to
explicitly deny (black list) or permit (white list)
sites or domains. For instance, you may want to block
all mail sites but allow access to Google Mail.
Simply place www.gmail.com in the white list box.
The custom express list requires knowledge of a
computer language known as regular expressions, or
're'. So unless you are comfortable with 're' then
skip down to Network based access control. This is
just like the same fields on the Advanced Proxy. If
you want to allow unrestricted access to a specific
computer, list it here. This can be useful if you
want to block entire categories but have one (or
more) computer that is unaffected.
The Fun Part - or how to be Big
Brother
Depending on how you feel about restricting access,
this is either the fun part or the part that makes
you Big Brother. Click the time constrtin button in
the middle of the page. You'll get this window:
This is where you can block specific sites during
specific times. If you wanted to block access to
AOL's Instant Messenger then you'd add oscar.aol.com to
the source host. Next fill out the times you want to
block and click add. You can also block or allow
entire categories this way.
Where to go next
Thats the basics of URL Filter. If you want to get in
deeper, check out the documentation here. For the
truly paranoid (or to awaken the control freak in
us all), check out BOT, or Block Out Traffic. Just
make sure to read the docs carefully. If you
miss the crucial install step you won't be able to
log into IPcop at all!
Did we say paranoid?
If you haven't noticed we are a little freakish on
wifi security. We have these conversation all the
time:
Or it goes like thisArchatech: "what kind of wifi security do you have?"Friend: "I don't need security, I don't have anything important to protect"
And then there is this oneFamily member: "we WEP, it works just fine (and its all TiVo supports)"Archatech: "you know WEP can be cracked in 10 minutes, right?"Family Member: "well yeah, but who is going to take the time to break mine when there is an open network next door?"
A lot of you probably feel the same way; you've got nothing important or don't think anyone will bother breaking in. You might also be under the impression that hiding your network name or filtering MAC addresses is security. You'd be wrong on all counts.Archatech: "Why don't you use security?"Co-worker: "I use MAC address filtering and I hide my SSID (wireless network name), thats safe enough"
WiFi security is about two things. Protecting your network from outsiders and encrypting your traffic. Lets tackle the first one for starters.
Close your boarders
With a wired network, someone has to physically have access to a CAT5 port to gain access. If you doors and windows are locked, its pretty tricky to plug in. With a wireless network all of the sudden your network extends past your doors and out into the street. Its pretty hard to control invisible radio waves. What we can do is make sure passer-bys cannot use those waves. MAC filtering and SSID hiding are ways, albeit poor ones, to help keep others off your network. Every networking device in the world has a unique serial number called a MAC address. No two devices (network cards, wireless cards, bluetooth devices, VoIP phones, xboxes, etc) have the same MAC. Almost all wireless access points (and even IPCop) allows you to maintain a list of "allowed" MAC addresses. If your MAC isn't on the list, you don't get access. Sounds like a good way to lock things down, right? Well besides the hassle of having to maintain that list on on each access point, its just broken. It turns out changing the MAC address, called spoofing, is pretty easy with some free software tools. There are even tools out there that discover valid MAC address on the wireless network and report to you which ones you can spoof to gain access.
The SSID is the name if your wireless network. When you hide the SSID windows will not give you that little pop-up that says its found a network. You'd have to know the network name to join it. Well, almost any wifi "sniffer" tool will thwart that and find hidden SSIDs.
Even if you don't have important data on your computer you have some things to protect. First your computers themselves. Hackers would love to get remote control of your system and use it for malicious hacks. One of the most common is called a DDOS, or distributed denial of service. Hackers commandeer an army of computers (which they have hacked for remote access) from all over the net. Then they make all of those computers point to one web site or server. The overwhelming amount of traffic, from around the world, basically shuts the site or server down. The other thing you want to protect is your bandwidth. Remember setting that traffic limit on the blue network? Well if someone compromises your green network then you could suddenly find all of your bandwidth is being used by someone else!
Pimp your signal
The other real problem with using MAC filtering or SSID hiding is that they still do nothing to protect your traffic. The other part of wifi security is encryption. With out strong encryption you are not only extending your network outside of your doors and into the street, your broadcasting everything your do. Every email you send will be out there floating around the air for anyone to see (or 'sniff'). When you employ strong protection your traffic becomes encrypted, meaning everything between your computer and your wireless access point is unreadable- by anyone!
Where WEP failed...
Early wireless access points used something called WEP to protect access and encrypt traffic. The basic flaw is that they transmitted the "key" over and over. So someone could "sniff" the airwaves and observe enough messages between your computer and the access point to figure out the encryption. This gets a little tricky, but its based on something called a "one time pad". For more information, listen to episodes 10 and 11 of Security Now. You can also read transcripts here.
Here is what you need to know about WEP, it can be cracked in 10 minutes by a kid with a laptop. Once its cracked, everything you do can be observed and your systems are all exposed and at risk. With strong encryption in place you rest assured that no one can read your traffic, even other users on the same wireless network.
WPA Succeeded
The next generation of wifi security is called WPA and it fixed the loophole in WEP. Basically, no two keys are ever used more than once, so no matter how much of your traffic someone captures, they'd never be able to ascertain the key to unscramble it. There is a known vulnerability though. (queue scary music) When you use a short password or, even worse, a common dictionary word, as your password you can be at risk. Someone could capture a block of your traffic and attempt a "brute force" attack where they try and unlock the block of traffic by trying every word in the dictionary. For short, but random, passwords they can even attempt every combination of letters and numbers. The good news is that even with modern processors, this takes time. Someone would have to really want in badly....never underestimate those kids with laptops though!
The solution is to use the longest, most random password your access point will support. We like Steve Gibson's password generator, but you can download or use any one you like. GRC's password generator includes some notes on how its written and we trust it. If you download a password tool make sure you know how it works and that you trust it. When using any tool, its a good idea to mix several passwords. Most routers allow a max of 64 characters. You can take 32 random characters from GRC's page and then reload the page and take another 32. You can even mix and match sections of 8 or 16. That way you know your password is truly unique.
Once you have the password, simply paste it into every wireless access point you want to protect and enable WPA or WPA2 (WPA2 is newer and may not be supported on all hardware).
What's the Key?
So, you've' got this super long random password, how do you get it on each computer that needs to connect? Grab a $15 128mb USB key. Paste the key into a text file (we like plain text rather than MS Word) and put that file on the key. When ever you need to add a computer to your WiFi network, simply plug in the key and copy and paste where needed. Make sure to keep that key safe! One trick may be to copy several passwords, each 64 characters long into the text file. Lets say you paste 5 different passwords into the text file, you know that the 3rd one is the valid one. You could even copy and paste from the first 32 characters of two different lines. Hey, we said paranoid, right?
And I've gone crosseyed...
Got the big picture? With properly secured access points on your green network, you can sleep safely knowing that your wifi is as secure as your wired network. With an open access point on your blue network you can allow guests and use devices (like TiVo) that do not support WPA encryption, all while knowing devices on the blue network cannot talk to the green network (unless you open ports in IPcop). Its the best of both worlds: secure private wireless and a open but cordoned off public network. If you need to grant access to the private network, just whip out the USB key with your super long and random password and you are good to go. Hopefully you also have an understanding of how your IPcop router uses NAT technology to keep the bad guys out. With a few simple add-ons you can even custom tailor the access that each computer and yours in your house has to content on the web.
Coming Soon to Archatechs
Archatechs Call to Action - Net Neutrality: some politicians and big business want to charge you extra for the internet depending on what you want to do (like VoIP). ITs time to tell congress what you think.
One password to rule them all - Fedora Directory Server and single-sign-on
Storage for everyone - FreeNAS and online storage