On Fri, 23 Dec 2005 10:35:21 GMT, "JM" <(E-Mail Removed)>
wrote:
>I have a NAT/SPI Router linked directly into the Cable modem, which has a
>TeamSpeak server connected to one of the LAN ports. Now to secure the rest
>of my LAN I have connected a second Router to the first one ( LAN 2 WAN
>configuration), this is also a NAT/SPI Router with wireless access. Now on
>my second Router I have all but one Computer connected to the LAN ports and
>all have firewalls installed. On the wireless side I have setup WPA-PSK
>(TKIP) with a 63 random ASCII characters as the key, I am also considering
>setting up a RADIUS server to secure the wireless side even more.
>
>Am I safe or is their more a can do?
There's always more that can be done. The layers added in the name of
security never seem to end. Proxy server, VPN, encrypted LAN
traffic, encrypted ethernet cards, IDS (intrusion detection system),
ad nausium. It really depends on what you are trying to protect. The
usual mistake is physical security. I could plug a "rogue access
point" or ethernet tap into your network, and all your security is
gone. It's like locking the front door with a dozen locks, but
leaving the back door and windows wide open.
Also, real security requires log reading. You need to monitor your
network, have someone (or a script) read the log files regularly, and
look for surprises and changes. You also need to run regular exploit
scans. Putting a lock on the front door is nice, but it's useless
unless you check to see if it's still locked and functional.
Double NAT used to be called a double firewall with a DMZ
(Demilitarized Zone for those that missed Viet Nam) in between.
Servers that needed to be exposed to the internet were placed in the
DMZ with traffic controlled by the first router also known as a
"bastion host". To entertain attackers, "honey pot" servers were
often also planted in the DMZ area. The inside LAN was protected by
the 2nd router. If a server in the DMZ was compromised, it would not
affect anything on the inside LAN. It's a very good system and works
well. Complications with administrative access to the DMZ servers,
and dealing with port forwarding using double NAT make setup
interesting.
As far as the wireless is concerned, pre-shared keys are inherently
insecure. All it takes is one of your laptops or clients with the
pre-shared key installed to be compromised, and the key becomes known.
Some manufactories encrypt the WPA keys in the registry, but few
bother to use a secure algorithm. Some even have it saved in readable
text. If the single pre-shared key is discovered, then the entire
wireless network is seriously compromised.
With RADIUS authentication, there is no single WPA key. It's
contrived for the duration of the connection and not saved anywhere. I
can sniff a connection, and extract a single key, but that only gets
me on the system for a very limited time. If you value security, do
the 802.1x thing and RADIUS server.
Incidentally, I never have much trouble with external (internet)
security. Attacks originating from the internet are not much of a
problem. Attacks from inside the LAN, originating from compromised
laptops and PDA's are what drives me nuts. The boss goes to a hotel
with his laptop, gets infected by a trojan horse, and brings the
laptop back to the office. I get to spend days cleaning out the mess.
If he's had a key logger installed, I get to change every last lousy
password on the system. The few that take is seriously (mostly for
HIPAA compliance) use X.509 certificates on USB dongles.
Try to think of security in terms of reliability. If a single point
of failure happens, such as a single lost password, what would need to
be changed in order to re-secure the system? If the answer is change
the passwords on a dozen machines or wholesale reconfiguration, then
your security model is broken and needs to be re-evaluated.
--
Jeff Liebermann
(E-Mail Removed)
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060
http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Similar Threads
Linear Mode
