From owner-freebsd-security@freebsd.org  Mon Oct 16 22:13:58 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AEFDE46B19
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon, 16 Oct 2017 22:13:58 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com
 [69.62.255.118])
 by mx1.freebsd.org (Postfix) with ESMTP id E6B326FB0C
 for <freebsd-security@freebsd.org>; Mon, 16 Oct 2017 22:13:56 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1])
 by segfault.tristatelogic.com (Postfix) with ESMTP id 3FF8D3AF00
 for <freebsd-security@freebsd.org>; Mon, 16 Oct 2017 15:13:50 -0700 (PDT)
From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
To: freebsd-security@freebsd.org
Subject: WPA2 bugz - One Man's Quick & Dirty Response
Date: Mon, 16 Oct 2017 15:13:49 -0700
Message-ID: <25911.1508192029@segfault.tristatelogic.com>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2017 22:13:58 -0000


Just like everybody else on this list, I guess, I'm rather less than
happy about the WPA2 story that has emerged within the past 24 hours.

Due to the announcement that WPA2 is, apparently, badly broken, I'm
trying now to figure out how to lock down my home network a little
better... as, I suspect, are many others all over the world... at
least until the equipment vendors get around to issuing firmware patches.

Up untill last night, when I read the WPA2 news, I just blindly trusted
everything on my local network, with the result being that I've got
and /etc/exports file, and also its Samba equivalent, that are making
each of the several top-level directories that hold most of the stuff
on my central FreeBSD "file server" machine available, without restriction,
to the local subnet as follows:

#/etc/exports
/home/mini-me -alldirs -network 192.168.1.0 -mask 255.255.255.0
/one -alldirs -network 192.168.1.0 -mask 255.255.255.0
/two -alldirs -network 192.168.1.0 -mask 255.255.255.0
/three -alldirs -network 192.168.1.0 -mask 255.255.255.0

(There's basically equivalent stuff also in my Samba config files.)

In light of the recent WPA2 disclosures, it has occured to me that
as of today it may be a Bad Idea for me to be exporting all of this
stuff, read/write, to all of 192.168.1.0/24.

I'm fortunate, because I just have a simple little home network, and
there are only, at most, a handful of devices on it.

I've already taken the step of (re-)configuring all of my hardwired
devices so that they are all using static IPs within just the
192.168.1.16/28 sub-block.  These machines... my hardwired ones...
are the ones I intend to continue to trust completely.  They will
continue to have read/write access to all of the directories mentioned
above.

I've also just diddled my router config so as to have it issue local
IP addresses to DHCP clients within just the 192.168.192.0/26 range.
This is going to be a range that I only trust marginally from now on,
i.e. just enough to have read-only access to -just- my content directories
/one, /two, and /three.

Basically, I'm just arranging things so that all my hardwired stuff is
on static IPs, within a limited little subnet, and all of my WiFi stuff
will continue to do DHCP, also within a limited, but different subnet.

So, based on all of the foregoing, my new /etc/exports file will look
something like this:

# trusted
/home/mini-me -alldirs -network 192.168.1.16 -mask 255.255.255.240
/one -alldirs -network 192.168.1.16 -mask 255.255.255.240
/two -alldirs -network 192.168.1.16 -mask 255.255.255.240
/three -alldirs -network 192.168.1.16 -mask 255.255.255.240
# semi-trusted
/one -ro -alldirs -network 192.168.1.192 -mask 255.255.255.192
/two -ro -alldirs -network 192.168.1.192 -mask 255.255.255.192
/three -ro -alldirs -network 192.168.1.192 -mask 255.255.255.192

... and I'll make similar adjustments also in my Samba config files.

Well, anyway, this is my plan at the moment.  I'd be happy to have any
critiques or helpful suggestions.

Of course, none of this is optimal... not like having real working
WiFi security would be.  But in my specific case, if somebody manages
to get in and fiddle, in arbitrary ways, with the communications between
my WiFi devices... which mostly consist of just "home theater" type
stuff in the living room... then it will be no biggie, just as long as
whoever is doing it will, at worst, just have read-only access to my
content files.

I can live with that, I think, at least until the firmware cavalry arrives.


Regards,
rfg