The UK Home Automation Archive

Archive Home

Group Home

Search Archive
Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Home Automation - Firewalls

To: ukha_d@xxxxxxxxxxxxxxx
Subject: Re: Home Automation - Firewalls
From: "David Buckley" <db@xxxxxxxxxxx>
Date: Wed, 24 Mar 2004 06:14:45 -0000
Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
Reply-to: ukha_d@xxxxxxxxxxxxxxx

--- In ukha_d@xxxxxxx, "Mark McCall" <lists@a...> wrote:
> As broadband nears a reality I'm continuing to look into
> security for my home network. I have done a little reading
> and this is my (simplistic) understanding so far.
>
> 1. I need a firewall
> At this stage I plan to buy a router/firewall box

You've already got further then 95% of the owners of things
connected to the internet, so a very good start indeed.

Before you decide where to go next, you have to evaluate your
personal level of paranoia, how secure you need to be against
compromise, and if you are "hacked", how much you care. And you
need
to determine how "secure" each of the things you are connecting
are.  This entire phase would formally be known as a "risk
assessment", but theres no need for an inch thick document, unless
you feel the need to write.....

There are now millions of permanently connected hosts (and host
systems, like what you will have) connected to the internet, the the
chances of being spotted and singled out for a determined attack by
a determined attacker are lower than they once were, on the other
hand, there are lots more opportunities.

> 2. Anything "Public facing" should go on the De-militarised
> Zone (DMZ)

In classical network design land, this is true.  The idea of the DMZ
is to provide a "layered" collection of machines to attack, where
you have just machines with just (stripped down) bastion hosts and
gateways in the DMZ, with firewalls both sides.

The greatest advance in practical network security has been IMHO the
widespread use of NAT.  In simple form, NAT is a one way route
"out"
of your network.  Sure, packets can come in, but for TCP protocols,
they are in response to an established outgoing connection.  So just
having a NAT router is enough to keep you moderately secure.

> Whilst I have nothing that needs to be open to the public I
> will need access to some things from the outside like my
> CCTV server, TiVo, Comfort etc.

Your trying to hide behind a form of words there.  If you
"expose" a
service then you are "open to the public".  This is where the fun
starts.  And to make these services available, you need to poke a
hole(s) in your NAT shield.  Which most NAT boxes allow.  And they
also allow that to only happen on a port by port basis, which allows
you to easily configure a least-privelidge hole.  One no wider than
necessary.  And try and stick to TCP holes; UDP holes are inherently
less secure.

You'll get lots of advice on how to do this hereabouts, and the
masochism that is necessary to make Apache into a HTTP router and
all that stuff.  I'll leave that to the others, other than
suggesting that Delegate is a lot less hassle to install and
configure than Apache for this job.

The real probelem once you poked the holes is not the holes per se,
nor the external packets floating around on your net.  Its a
question of how secure and "safe" the boxes on the inside are,
and
(and this is the scary part) can they be compromised which can then
lead to an attack on other devices on your network?

if the answer to that is yes, and it is a worry to you, then the
only realistic option is classical DMZ with firewals each side, or
(and its a much less good answer) a three legged firewall.

Its back to your risk assessment. Any box you expose must be right
up there with its security patches, and administered with paranoia.
This is the true source of your worries.  If a linux or windows box
gets compromised, then it can be used as the enemy within.  How safe
is a TiVo?  I dont know.  Does anyone?  It was never designed to be
a publicly accessable box...

In terms of firewalls; I'm not enormously convinced of the value
they add to small home installation.  This is because (a) NAT is so
good at keeping unwanted stuff out, (b) stateful inspection only
works on known protocols, (c) that your enemies are without, not
within (unless you get compromised), and (d) to support full home
internet usage, you need to allow an awful lot of stuff through.

I can make you pretty dammed secure, at a price, but you wont enjoy
it much!  How does browsing without Javascript, vbscript and ActiveX
appeal?

UK Home Automation Meet 2004 - BOOK NOW!
http://www.ukha2004.com

http://www.automatedhome.co.uk

Member Offers - http://www.freeranger.co.uk/ukha

Prev by Date: RE: Pillar Drill
Next by Date: Re: OT: Citrix Nfuse/Web XP Login FR3 Question
Previous by thread: RE: Home Automation - Firewalls
Next by thread: RE: Home Automation - Firewalls
Index(es):
- Date
- Thread

Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.