Tuesday 25 April 2017

Securely implementing a home network



As we speak I am currently in the process of designing my new home, lucky enough myself and my wife to be are in the position where we get to build from scratch. The beauty with building from scratch is of course you start with a blank canvas. We are at the stage where all the necessities have been figured out such as heating systems, insulation, build type, house size etc so its time to get to the really fun part... the home network.

Having past my CCNA over 3 years ago, my networking has gone a tad off the boil so this is  a great excuse to get myself back up to scratch. The beauty with building a network from scratch is you can do whatever you want and that is exactly what I plan on doing. As I do work in security I won't be detailing the underlying hardware components but I will give the high level view.

My first consideration is cable type and at a little more expense I have decided to run with CAT 6A throughout the house, remember if you chose CAT 6A make sure your wall jacks are also CAT 6A and any other network hardware component that delivers connectivity throughout your home.
For flexibility I will be running with un-shielded pair CAT 6A and I am also going to run in some external cable in case I ever decide to run CCTV.

I aim to install approximately 26 ports internally and a number externally so I have chosen a 48 port managed switch to connected everything to.
Choosing your switch is important from a network security and stability perspective you should try get a switch that supports, multiple VLANS, QoS, Access Controls Lists, IP Source Guard, Port-level controls, Dynamic ARP inspection. This will cost a few bob but will give you great control over how your network works. The above are just examples of a few security features and if you want to know more about each I'm sure google will be an obliging teacher.

From a general helpfulness note when you pull in your cables label each one on the wall and give it a corresponding number of the switch. This practice can be a pain in the ass but you will thank yourself later. Once you have your ports labelled and patched its time to decide the function of each port and make a list.

I suggest grouping the ports that will carry the same traffic together such as:

- Wireless Access Point traffic
- VOIP traffic
- IOT devices
- Media and Smart TVs
- Home Heating System / Solar
- CCTV
- Office

Once you have worked out what ports are mapping to what service group these ports into VLANs, this will help protect your traffic  by segregating your services and helping to aggregate your network.

For ports where the devices wont change I suggest binding the MAC address to add a small bit of integrity. Switches with QoS options are great as you can now easily configure what traffic you want to give priority to such as VOIP or media. This gives you a more granular control over how your networked devices will work.

I suggest you also buy a switch that has a number of gigabit up-link ports so you can connect into your router.
For my choice of router I want something that is capable of holding a solid baseline and is powerful, I also want it to be able to handle VOIP traffic and run a VPN. Installing a VPN at the router level can cause issues so unless your technical I might skip this part remember I have no problem spending my weekends fluting around with this stuff till its fine tuned.

There is also the option to add in additional security such as firewalls or I could fire up SNORT to give me some intrusion detection capabilities all of which I have ample time to prepare for. The main point of this post is that implementing a home network should cause you to think about how you want it to work, what you want to use it for and how secure you want to be. If your not technical leave it to the pros but make sure you get someone who knows what there doing or you could be exposing yourself to a whole world hurt. 
Posted by at No comments:
Labels: , , ,

Sunday 23 April 2017

NSA hacking tools enabling script kiddies and criminals


 

When you create an arsenal of powerful hacking tools to rip through the privacy rights of citizens with the goal of national security as the driver what could possibly go wrong? Well in the case that you lose all of those tools and they fall into the arms of criminals and script kiddies the dangers become all to real. 

Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012, allegedly belonged to the NSA's Equation Group. 
 
As expected Microsoft quickly downplayed the security risks by releasing patches for all exploited vulnerabilities, but there are still risks in the wild with unsupported systems as well as with those who haven't yet installed the patches. And believe me knowing how a lot of companies tend to handle patch management that's a lot of servers that are quickly becoming targets. Just to back up that statement multiple security researchers have performed mass Internet scans over the past few days and found tens of thousands of Windows computers worldwide infected with DoublePulsar, a suspected NSA spying implant, as a result of a free tool released on GitHub for anyone to use.

The hackers news have done a good article on this explaining the ins and outs of the tools and the issues that organisation may face if effective patching does not take place which I have inserted below.

The impact? DoublePulsar is a backdoor used to inject and run malicious code on already infected systems, and is installed using the EternalBlue exploit that targets SMB file-sharing services on Microsoft's Windows XP to Server 2008 R2.

Therefore, to compromise a machine, it must be running a vulnerable version of Windows OS with an SMB service expose to the attacker.

Both DoublePulsar and EternalBlue are suspected as Equation Group tools and are now available for any script kiddie to download and use against vulnerable computers.

Once installed, DoublePulsar used hijacked computers to sling malware, spam online users, and launch further cyber attacks on other victims. To remain stealthy, the backdoor doesn't write any files to the PCs it infects, preventing it from persisting after an infected PC is rebooted. While Microsoft has already patched majority of the exploited flaws in affected Windows operating systems, those who have not patched are vulnerable to exploits such as EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, and EducatedScholar.

Moreover, systems that are still using end-of-life platforms like Windows XP, Windows Server 2003, and IIS 6.0, which no longer received security updates, are also vulnerable to the in-the-wild exploits.

Since it takes hackers roughly a few hours to download the Shadow Brokers dump, scan the Internet with the tool released on Monday, and deliver hacking exploits, researchers are expecting more vulnerable and unpatched computers to fall victims to DoublePulsar.

After this news had broken, Microsoft officials released a statement saying: "We doubt the accuracy of the reports and are investigating."

Meanwhile, Windows users who haven't applied MS17-010 by now are strongly advised to download and deploy the patches as soon as possible.

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)