Re: How safe is this..

On Fri, 23 Dec 2005 10:35:21 GMT, "JM" <jm_newgroups@xxxxxxxxxxxxxxxx>
wrote:

>I have a NAT/SPI Router linked directly into the Cable modem, which has a
>TeamSpeak server connected to one of the LAN ports. Now to secure the rest
>of my LAN I have connected a second Router to the first one ( LAN 2 WAN
>configuration), this is also a NAT/SPI Router with wireless access. Now on
>my second Router I have all but one Computer connected to the LAN ports and
>all have firewalls installed. On the wireless side I have setup WPA-PSK
>(TKIP) with a 63 random ASCII characters as the key, I am also considering
>setting up a RADIUS server to secure the wireless side even more.
>
>Am I safe or is their more a can do?

There's always more that can be done. The layers added in the name of
security never seem to end. Proxy server, VPN, encrypted LAN
traffic, encrypted ethernet cards, IDS (intrusion detection system),
ad nausium. It really depends on what you are trying to protect. The
usual mistake is physical security. I could plug a "rogue access
point" or ethernet tap into your network, and all your security is
gone. It's like locking the front door with a dozen locks, but
leaving the back door and windows wide open.

Also, real security requires log reading. You need to monitor your
network, have someone (or a script) read the log files regularly, and
look for surprises and changes. You also need to run regular exploit
scans. Putting a lock on the front door is nice, but it's useless
unless you check to see if it's still locked and functional.

Double NAT used to be called a double firewall with a DMZ
(Demilitarized Zone for those that missed Viet Nam) in between.
Servers that needed to be exposed to the internet were placed in the
DMZ with traffic controlled by the first router also known as a
"bastion host". To entertain attackers, "honey pot" servers were
often also planted in the DMZ area. The inside LAN was protected by
the 2nd router. If a server in the DMZ was compromised, it would not
affect anything on the inside LAN. It's a very good system and works
well. Complications with administrative access to the DMZ servers,
and dealing with port forwarding using double NAT make setup
interesting.

As far as the wireless is concerned, pre-shared keys are inherently
insecure. All it takes is one of your laptops or clients with the
pre-shared key installed to be compromised, and the key becomes known.
Some manufactories encrypt the WPA keys in the registry, but few
bother to use a secure algorithm. Some even have it saved in readable
text. If the single pre-shared key is discovered, then the entire
wireless network is seriously compromised.

With RADIUS authentication, there is no single WPA key. It's
contrived for the duration of the connection and not saved anywhere. I
can sniff a connection, and extract a single key, but that only gets
me on the system for a very limited time. If you value security, do
the 802.1x thing and RADIUS server.

Incidentally, I never have much trouble with external (internet)
security. Attacks originating from the internet are not much of a
problem. Attacks from inside the LAN, originating from compromised
laptops and PDA's are what drives me nuts. The boss goes to a hotel
with his laptop, gets infected by a trojan horse, and brings the
laptop back to the office. I get to spend days cleaning out the mess.
If he's had a key logger installed, I get to change every last lousy
password on the system. The few that take is seriously (mostly for
HIPAA compliance) use X.509 certificates on USB dongles.

Try to think of security in terms of reliability. If a single point
of failure happens, such as a single lost password, what would need to
be changed in order to re-secure the system? If the answer is change
the passwords on a dozen machines or wholesale reconfiguration, then
your security model is broken and needs to be re-evaluated.


--
Jeff Liebermann jeffl@xxxxxxxxxxxxxxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.

Relevant Pages

  • Re: static routing
    ... OK, so if I understand you, I need to create a demand dial connection on ... I still don't understand how the lan users on ... site to site (also called router to router) connection. ... Server "WAN" ...
    (microsoft.public.windows.server.networking)
  • Re: static routing
    ... Connections work going out from inside the router, ... I'll have to remove the router and connect the server directly to the cable ... A static route has been added that matches the subnet ...
    (microsoft.public.windows.server.networking)
  • Re: Connection from remote computer to network SQL Server
    ... There is no firewall on the W2K machine acting as the SQL server. ... I tried making the SQL machine a "trusted" on the router. ... connection works. ... To find the IP address of your computer inside the network, ...
    (microsoft.public.access.adp.sqlserver)
  • Re: Networking Question - VLANs on SBS 2003 Premium SP1
    ... port on the old router so I now have a segregated WLAN. ... be sure you do not enable any DHCP server in internal network. ... On the Connection Type page, click Broadband, and then click Next. ... On the Network Connection, You must enable and configure the network ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... seleting full time broadband connection. ... Les Connor [SBS Community Member - SBS MVP] ... check the router as well and unless I missed a firewall setting on it, ... Anyway the Server Ipconfig /all is this... ...
    (microsoft.public.windows.server.sbs)