IPsec – My LAN, Your LAN, Our LAN

For about a year I have wanted to get an IPsec tunnel between me and my parent’s.  This will allow me to drop a server there and store offsite information.  More importantly, it helps me troubleshoot their issues.  Multi-vendor IPsec never is easy, given IPsec is a standard it will always work.  I’ve been slowly learning Ubiquiti’s EdgeOS (Vyatta).  The command structure is very similar to Juniper’s JunOS.  Given that I’m not 100% familiar with EdgeOS, I’ve been using templates and code snippets from across the internet.  Like any, one cannot simply copy/paste.  These generic rule’s might not be efficient in everyone’s case.  I have modified my install heavily.  For example, I use WA8LIV.com as one of the host’s.  On consumer grade internet, my IP address could change.  Dynamic DNS updates and the tunnel fixes itself.  My parent’s are also now using Dynamic DNS.

Continue reading

The need for a better home router (Part 2 of probably many)

If you’re like I am.  You would like a great home router that is well-above consumer grade.  Linksys and D-Link simply won’t do, but, one can find some pretty good gear that might be interesting and fulfill actual needs.  For anyone that know’s me, I’ve always supported Ubiquiti networks for their cheap entry level professional gear; I will here too but only because I feel they provide great gear for a great price and will meet the requirements given. Continue reading

The need for a better home router (Part 1 of probably many)

A few months ago, I took the plunge and finally acquired better networking gear for the home.  For years, I have worked with professional equipment at Ohio University and on the job with Progressive.  For some reason, when I came home names like Linksys and Asus became reasonable options for routers and switches.  DD-WRT and flashing my router were commonplace as I could “upgrade” my consumer gear to something that was still consumer.  Not really an upgrade…

I finally chose to get a tiny APU4, a low-power server’esque device that can run pfSense.  pfSense has been a pleasure!  It’s got really neat graphs, packet captures on every port, logging, ntp, all the bells and whistles a developing network engineer could want.  One of the best features is that it can run Snort as a downloadable package.  Snort, is an intrusion prevention system and intrusion detection system or IPS/IDS.

The ability to run Snort has opened my eyes to why the consumer needs a better home router.  Snort can identify patterns or signatures of various known attacks and can deflect them based on these known patterns.  These patterns can be updated and are updated very frequently.  It will log these patterns and hopefully deflect the attacks.  It has been written (by USA Today) that a Windows XP SP1 computer can be hacked within 4 minutes.  A home firewall is simply not enough or sophisticated enough to catch and defend against complex attacks.  Home firewalls typically include basic firewalls designed for NAT.  This no longer is applicable though as NAT is no longer needed with IPv6.A buddy and I have always joked that NATing is “a poor man’s firewall.”  I certainly will not condone using NAT as a firewall as that is not it’s intended purpose.


Blocked Hosts in the past hour


Recent attack signatures identified by Snort

With Snort, I can view the attempted attacks within the past hour and view what the attack signature was.  Even as an IT professional, specializing in networking, these logs hit home.  I knew that the world is a dangerous place but I did not expect some of the complex attacks snort is defending against.  Attempted SQL injections on my public IP address surprised me as I wasn’t running any servers when I first installed snort

These logs shocked me.  Home routers need to up their game in my opinion.  I am hosting a Pi for a webserver, with protected ports but what about grandma who just wants to play Mahjong and check email?  She won’t probably have IDS/IPS at home and is being attacked just like I am but is her system defending?

Protect yourself and realize that I focused primarily on IPS/IDS.  I didn’t even begin to mention how vulnerable the Linksys and Asus routers actually are.  I’ll let these links [1, 2] do the talking for now.  Even pfSense is vulnerable but the ability to catch patterns could secure even those vulnerabilities.

I’ll probably do a few more of these focusing on other areas.  I’ve been so impressed with Snort that it deserved “first dibs.”