Tuesday, April 22, 2014

Home Network Perimeter Security (or what can I do besides that old WiFi router?)

Home networks - gotta love them.  Where would we be without WiFI?  Can't even fathom this!  Just like anything else, we need our networks some TLC, including security.

Your home router fulfills a bunch of tasks, including assigning IP addresses to your local devices (that's called having a DHCP server), managing WiFi connections, and firewalling which really interests us today.  A firewall is the part that keeps (or tries to) keep the bad stuff on the Internet and outside your network and there are plenty of choices out there, let's review them from weakest to strongest.

  1. Old WiFi router from the "heydays": we all had one of those, generation 1-type devices.  Think of the trusty Linksys WRT54G, old D-Links and such.  Their firewall technology is known as "NAT" or Network Address translation.  NAT is primarily used to map traffic from your network to the internet so little Robert's iPad's traffic requests from YouTube are redirected to him and not to his sister's laptop, which is essential but from a security perspective, ouch, and I'll spare you the details.

    Consumer wisdom: ditch these old routers now, plus WiFi encryption on these may be limited to WEP or WPA (not WPA2), so your neighbors can decide to look into your network, not fun.  WEP & WPA are fairly easy to hack these days.
  2. Newer WiFi routers are much better as they're all equipped with "stateful" firewalls, where a whole lot more checks are done to validate if the traffic is desirable or not.  Make sure anything you buy is with a "stateful" firewall.  On the plus they're not more expensive :)
  3. Hacker firmware on routers is something that's being done and been there for a number of years now.  It all started with the Linksys WRT54G and open-source components (Linux stuff) which transformed into mature, stable and more feature-rich firmwares than the manufacturers'.  Even so that some WiFi router manufacturers now bundle some of these open-source alternatives as a default, the most common is DD-WRT.

    With DD-WRT you can take that $50 router of yours and turn it into a $150+ device from a feature perspective with multiple SSIDs, guest networks, VPN servers, PBX and soooo much more that the common user might just get lost in the process.  So here is my warning, if you can't format a USB key, stay away.  If you feel adventurous and are willing to read/post in forums and consult guide, give it a whirl.  I've used DD-WRT for years until recently when I upgraded my WiFi router but made sure that the new unit supports it.
  4. Recycled PC firewalls is what I use these days.  I had this AMD X2 350 with 6GB ram gathering dust which I converted to a full-featured firewall with a 2nd network card (you need 1 for your ISP, 1 for your network).  This is by far the most powerful security approach when you choose a firewall package which is complete & frequently updated such as Endian, Untangle, Smoothwall and Sophos Home UTM (which I adopted - free commercial-grade product, features & updates, can't beat that!).

    If you wish to go down that road, make sure you do your homework prior and you need to re-think your network to some extent because your wireless router is no longer the customs agent at the door.  You need to disable the DHCP server in your router to maintain WiFi otherwise the DHCP server in the firewall will compete with it and your network will just not work. 
Regardless of what you choose, make sure you check on a monthly basis for updates, nothing like leaving security holes wide open & unpatched to attract problems.  It's not like you have mission-critical information on your network but you still want to avoid problems.

A few parting items:
  • Look at your options based on your geekhood, emerging geeks should stick to commercial products or face the wrath of the spouse (been there)
  • If you have an old router, recycling is a good option, don't leave it in your network & don't trash it
  • For some old routers, check out DD-WRT, you might breathe some life into your gear for $0
'hope this helps, post comments for questions!

Thursday, April 10, 2014

Prog Thursday: The World is a Game by Mystery

This is *yet* another band I started listening to because of them playing on an online radio station, probably www.morow.com.   Without these stations, I'd be lost!

Now to the subject at hand: Mystery.  This is  a band from not too far from here, in the greater Montreal area and their lead signer is Benoit David (yes, the guy who took over from Jon Anderson from Yes from 2008 to 2012).

What caught my attention was the way the band sounds, smart.  Some prog band try too hard, but these guys have a great sound and as soon as I could I pre-ordered the latest album The World is a Game.  I'd say this is for fans of Pendragon and Marillion, it's just good.  So good I got the other album One Among the Living as well.   Here is a sample & one of the best tracks on the album:



Highly recommend you give this band a chance, you can buy it here.

Friday, April 4, 2014

Managing parental controls in a multi-platform household

Everyday parents out there have their kids go on the Internet with an assortment of devices found in the household and the traditional method of filtering are no longer efficient as they want to be installed locally on the device.

So how to you control the content your kids access through their iPhone / iPod / iPad / Android / Blackberry / Windows Mobile / PS3 / PS4 / XBox 360 / XBox One / Wii / Wii U / Smart TV / laptop / desktop / etc?

You filter centrally at the Internet access source: the router/firewall.  All the devices regardless of what they are need to go through that choke point, so let's capitalize.

Home-based routers come with some basic blocking tools for the most part, but since it implies you manually add sites one-by-one (augh), consider it pretty much useless.

How let's look at something much stronger, effective & free: OpenDNS.  This service is based on DNS entries (or the Internet equivalent of the white pages which translates domain names like google.com to an IP address like 74.125.226.99).  You need to open an account and you can use their parental controls, free, if you are a home user.  They even have a service named Family Shield (again free) designed to block adult web sites.  They also have a paid option for those who want support.  You need to replace your ISP's DNS entries in your router with the OpenDNS ones (easy trust me) and they have guides for most brands.

Once you set this up you need to log on their web site to configure your preferences (what you want to block, blocking message, etc.) and you're off to the races.  You also need their DNS updater software running on a PC/Mac which is "always on" as your ISP must give you a dynamic IP address (it changes on a regular basis) and OpenDNS identifies you with that IP address.  You get this software here.


I've recently moved from OpenDNS for other reasons than their ability to deliver, really geeky but that's for another day.  In my setup at home I don't use a WiFi router to manage my ISP but a commercial-grade firewall (Sophos UTM Home Edition) which includes content filtering.  I think it's decent and does the job but since this firewall is free for home use, it does not let me customize the blocking messages but no matter, we're only 4 in this household.  This method with Sophos is not for the faint of heart home user with issues installing a printer shall we say, it requires some basic networking knowledge.  But if you're willing to give this a spin you'll find it rewarding.  You need a PC with 2 network cards that will be dedicated to the role of firewall exclusively (unless you go with the VM, but that's another discussion!).

So what's the best method?  Education, talk to your kids.  Stuff found on the Internet is not always kids-friendly and you have to teach them that part before deploying stuff.  Then you geek out and install something.

'hope this was useful - leave comments if you have questions and/or suggestions!