Date: Mon, 16 Oct 2017 15:13:49 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: WPA2 bugz - One Man's Quick & Dirty Response Message-ID: <25911.1508192029@segfault.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
Just like everybody else on this list, I guess, I'm rather less than happy about the WPA2 story that has emerged within the past 24 hours. Due to the announcement that WPA2 is, apparently, badly broken, I'm trying now to figure out how to lock down my home network a little better... as, I suspect, are many others all over the world... at least until the equipment vendors get around to issuing firmware patches. Up untill last night, when I read the WPA2 news, I just blindly trusted everything on my local network, with the result being that I've got and /etc/exports file, and also its Samba equivalent, that are making each of the several top-level directories that hold most of the stuff on my central FreeBSD "file server" machine available, without restriction, to the local subnet as follows: #/etc/exports /home/mini-me -alldirs -network 192.168.1.0 -mask 255.255.255.0 /one -alldirs -network 192.168.1.0 -mask 255.255.255.0 /two -alldirs -network 192.168.1.0 -mask 255.255.255.0 /three -alldirs -network 192.168.1.0 -mask 255.255.255.0 (There's basically equivalent stuff also in my Samba config files.) In light of the recent WPA2 disclosures, it has occured to me that as of today it may be a Bad Idea for me to be exporting all of this stuff, read/write, to all of 192.168.1.0/24. I'm fortunate, because I just have a simple little home network, and there are only, at most, a handful of devices on it. I've already taken the step of (re-)configuring all of my hardwired devices so that they are all using static IPs within just the 192.168.1.16/28 sub-block. These machines... my hardwired ones... are the ones I intend to continue to trust completely. They will continue to have read/write access to all of the directories mentioned above. I've also just diddled my router config so as to have it issue local IP addresses to DHCP clients within just the 192.168.192.0/26 range. This is going to be a range that I only trust marginally from now on, i.e. just enough to have read-only access to -just- my content directories /one, /two, and /three. Basically, I'm just arranging things so that all my hardwired stuff is on static IPs, within a limited little subnet, and all of my WiFi stuff will continue to do DHCP, also within a limited, but different subnet. So, based on all of the foregoing, my new /etc/exports file will look something like this: # trusted /home/mini-me -alldirs -network 192.168.1.16 -mask 255.255.255.240 /one -alldirs -network 192.168.1.16 -mask 255.255.255.240 /two -alldirs -network 192.168.1.16 -mask 255.255.255.240 /three -alldirs -network 192.168.1.16 -mask 255.255.255.240 # semi-trusted /one -ro -alldirs -network 192.168.1.192 -mask 255.255.255.192 /two -ro -alldirs -network 192.168.1.192 -mask 255.255.255.192 /three -ro -alldirs -network 192.168.1.192 -mask 255.255.255.192 ... and I'll make similar adjustments also in my Samba config files. Well, anyway, this is my plan at the moment. I'd be happy to have any critiques or helpful suggestions. Of course, none of this is optimal... not like having real working WiFi security would be. But in my specific case, if somebody manages to get in and fiddle, in arbitrary ways, with the communications between my WiFi devices... which mostly consist of just "home theater" type stuff in the living room... then it will be no biggie, just as long as whoever is doing it will, at worst, just have read-only access to my content files. I can live with that, I think, at least until the firmware cavalry arrives. Regards, rfg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25911.1508192029>